Sawmill - Universal log file analysis and reporting

This is the version history for Sawmill 6.

Version 6.5.11, shipped July 24, 2004

Bugs fixed in version 6.5.11:

Fixed a bug which could cause some log entries to be ignored when DNS lookup was turned on.
Fixed a bug with Symantex Gateway Security log format.
Fixed a bug which could cause a crash while processing corrupt ZIP or gzip files with an FTP log source.
Fixed crash bug which could occur at end of log processing.
Fixed a bug where expired days did not become unlinked in the Calendar.
Fixed Sidewinder Syslog format to support single-digit days.
Fixed some small problems with Firewall-1 (fw logexport export) Log Format, which resulted in some web-server-style wordings in the statistics.
Fixed Safari IP-cookie warning message, which is no longer needed for Safari 1.2.2 and later because Apple fixed the bug. Yay, Apple! Warning message still appears when using Safari 1.2.1 and earlier, which have the IP cookie bug.
Fixed a bug where certain database builds/updates would result in a DOS window temporarily popping up on Windows.
Fixed bug where CSV header parsing would split the last field name if it contained whitespace.

New features in 6.5.11:

Added support for Interscan Messaging Security Suite Virus Log Format.
Added support for "Squid (with Referrer and Agent) Log Format (Syslog Required)" log format.
Added support for Netgear FVS318 log format.
Added support for Oracle Failed Login Attempts Log Format.
Added support for EmailCatcher log format.
Added support for BEA WebLogic log format.
Added support for Ethereal log format.
Added support for a variant of Postfix log format.
Added support for ClamAV log format.
Added support for Symantec AntiVirus Corporate Edition (VHIST Exporter) log format.
Improved "GFI Attachment & Content Log Format".
Added support for IPEnforcer log format.
Added support for NetGear DG834G Log Format.
Improved autodetection of Declude SPAM log format.
Modified Interscan Security Suite log format to accommodate a variant.
Improved support for Watchguard SOHO Log Format.
Fixed bug where CSV output was misformatted when URLs contained newline characters.
Added detection of X-Forwarded-Host; it is now used as cookie domain when present.
Improved Merak SMTP Log Format to autodetect in more cases and to track geographic information.
Added support for Symantec Gateway Security 5400 log format.
Improved Postfix log format to report usernames of authenticated SMTP users.
Added support for Watchguard Firebox Export Log Format.
Improved ServUFTP so it correctly reads the Error lines with partial bytes.
Added support for Cisco Router Log Format (no syslog).
Added support for GFI Spam Log Format.
Improved auto date format to handle three-letter months.
Added support for Proxy-Pro GateKeeper Log Format.
Added support for Active PDF Log Format.
Added support for MailSweeper 24 Hour Log Format.
Added support for Servers Alive Statistics log format.
Added support for Anti-Spam SMTP Proxy (ASSP) Log Format.
Added support for Ironmail AV Log Format (Sophos).
Added support for mmm/dd/yy date format.
Improved Postfix log format to track "from" and "to" domains.
Enhanced Cisco VPN Concentrator log format to report disconnection reasons.
Added support for IronPort Log Format.
Improved LinkSys Router Log Format to handle a different date format.

Version 6.5.10, shipped May 30, 2004

Bugs fixed in version 6.5.10:

Fixed a bug where log filters could be doubled in newly-created configurations.
Fixed Common Referrer log format so it handles empty referrers properly.
Fixed bug where URL was not redisplayed properly when using HTTP log source.
Added support for Snare log format.
Fixed a bug where entry/exit pages sort did not work properly.
Fixed a bug where authenticated users were not tracked correctly in WS_FTP Log Format.
Fixed a problem where NetCache NetApp 5.5 Log Format did not handle x-localtime fields correctly.
Fixed a bug where log formats which used the carryover feature would not report hours of day properly in some cases.
Fixed a bug where durations were formatted in CSV export, instead of appearing as simple seconds.
Changed internal name of localtime field to date/time to prevent conflict in W3C logs where both localtime and #Date exist.
Fixed DNS lookup bug which could causes crashes or odd errors.

New features in 6.5.10:

Added support for GMS POP Log Format.
Added support for Merak Mail Server Control Log Format.
Added export_pathname option to specify pathname of file for CSV export.
Added support for "Symantec Gateway Security 5400" format.
Added support for "Vamsoft Open Relay Filter Enterprise Edition Log Format".
Added support for Aladdin eSafe Sessions Log Format.
Added support for Fortinet Log Format (syslog required).
Enhanced "Windows 2000/XP Event Log Format (export list-CSV) ddmmyyyy" to handle AM/PM times.
Added a version of Unix Syslog format which extracts date from m-d-yyyy.log filename, working around the problem caused by lack of year information in Unix Syslog.
Added support for Apache/NCSA Common Agent Log Format.
Enhanced Common Proxy Log Format to use GeoIP to compute countries/regions/cities of source IPs.
Added support for Amavis Log Format Log Format.
Added country/region/city tracking for NetScreen Traffic Log Format.
Added support for Watchguard WELF Log Format.
Added support for FortiGate Space Separated Log Format.
Added support for Netgear Security Log Format (logging to syslog).
Added support for Netilla Log Format.
Added support for FortiGate Traffic Log Format.
Fixed a bug with expanding/collapsing subviews in non-English installations.
Added support for WebNibbler log format.
Added support for Eventlog to Syslog Format.
Added support for Packet Dynamics Log Format.
Added geographic country/region/city reporting of source IPs for Cisco PIX/IOS log format.
Added support for Nagios Log Format.
Added support for Bind 9 Query Log Format (without timestamp).
Improved Postfix support to report Vexira virus scanning lines.
Improved support for Bind 9 Query Log Format (with timestamp) to report day of week and hour of day.
Added support for IPCop Syslog.
Added support for NetCache NetApp 5.5 Log Format.
Added support for Trend Micro ScanMail For Exchange Log Format.
Added support for NetApp Filers Audit Log Format.
Added support for Symantec Enterprise Firewall 8 Log Format.
Added support for Message Sniffer Log Format.
Improved LogSat SpamFilterISP Log Format to report Bayesian filter lines.
Enhanced LISTSERV format to support single-digit dates.
Added support for a slight variant of NetCache NetApp Log Format.
Improved auto data format to allow only reasonable values for year, month, and day.

Version 6.5.9, shipped April 03, 2004

Bugs fixed in version 6.5.9:

Improved detection of corrupt TAI64N date/times.
Fixed a bug where if an Apache or Blue Coat format string contained characters which were also regular expression operators (like |), all log entries would be rejected.
Fixed a bug where if a timestamp field was used in W3C logs, and a #Date line was also present, date/time information was not reported properly.
Fixed Blue Coat W3C format to support explicitly listed URL fields in the log data (it no longer attempts to build the URL from pieces if it's there in the log data).
Fixed a bug where corrupt compressed log data would halt all log processing, instead of just skipping the corrupt file.
Fixed a bug where CSV export of a multi-table view like Single-page summary would incorrectly add a comma to the beginning of most of the header rows.
Fixed a bug where Sawmill would try to create a file called last_format_line.txt at the root of the disk, sometimes resulting in a permission error.
Fixed a bug which could cause a crash in some cases while processing complex log formats with DNS lookup turned on.
Fixed a bug where quotes in field values were not escaped properly when running commands.
Fixed a bug where using # characters in some cases (like field names) would cause errors when viewing statistics.
Fixed a bug where using the filter: format for expiring database data would cause the remaining data to be tripled.

New features in 6.5.9:

Enhanced LogSat SpamFilterISP Log Format to handle a slight variant.
Enhanced Lucent Brick format to extract data from 144-code lines.
Improved iPlanet Messenging Server 5MTALog format to support a slight variant.
Fixed a performance issue which could result in significant periodic slowdowns while processing datasets with very large numbers of unique values for multiple fields.
Improved support for Zone Alarm Log Format, to handle an alternate date format.
Added support for Syslog NG Log Format, including full message tracking.
Added support for Passlogd syslog format, including full message tracking.
Added support for Unix Syslog full message tracking.
Added support for InfiNet Log Format.
Added support for MailEnable Log Format.
Improved Novell NetMail to report on antivirus and antispam logging.
Added support for Sendmail NT Log Format.
Added support for Array 500 Combined Log Format.
Added support for MTS Professional Log Format.
Improved tcpdump log format to support resolved IPs.
Added support for Servers Alive log format.
Added support for GW Guardian Spam Log Format.
Added auto-detection of Domino Access log format.
Added support for Fountry BigIronII Log Format.
Added support for Microsoft ISA Server Packet Logs.
Added support for GW Guardian Antivirus Log Format.
Added support for Watchguard WSEP Text Exports Log Format (Firebox II & III & X)".
Enhanced d/m/yyyy date format to allow arbitrary dividers.
Added support for Cyberguard WELF Log Format.
Enhanced Bulletproof FTP log formats to track uploads
Improved NetScreen log format to handle any ordering of fields in log data.
Added support for a variant of Microsoft Exchange Internet Mail Log Format.

Version 6.5.8, shipped February 14, 2004

Bugs fixed in version 6.5.8:

Fixed a bug which could cause a crash in session calculations if all sessions were filtered out.
Fixed a problem with MailSweeper Log Format which could cause all log entries to be rejected.
Fixed N2H2 / Novell Border Manager Log Format to support single-digit days.
Fixed a bug where if the log data contained "format" comments (like W3C or WebSTAR), then during a database update, the first data seen would be processed with default format rather than honoring the preceding format line, possibly resulting in all the data being rejected or mis-categorized.
Fixed a bug where sorting some session views alphabetically could cause a crash.
Fixed a bug where some types of sort were not available in the Session Pages view.
Fixed a bug where if there was only one page view in the session information, the Session Pages and Session Visitors views would be empty.
Fixed a bug where if the Licensing page was cached, and the 30-day trial button was clicked each time the page appeared, a 30-day trial would run out in two sessions (possible less than 1 day).
Fixed a problem with WebSTAR analysis where if both URL and CS-URI were present in the same log, URLs would only be shown two levels deep.
[by request] Fixed a bug in Unix Syslog which could cause it to reject entries from certain variants.
[by request] Fixed a bug where if the running server URL didn't have a slash after the hostname, it would not be used to create full URL.

New features in 6.5.8:

Added support for Winproxy 5.1 Log Format (yyyy-mm-dd dates).
Added support for Astaro Log Format.
Added support for PortalXPert Log Format.
Added support for FirstClass Server Log Format.
Added support for iChain Log Format.
Added support for Socks 5 log format.
Added support for Windows Event Log Format (dumpel.exe export) Log Format.
Improved mm/dd/yyyy:hh:mm:ss format to handle all-lower-case months.
[by request] Added support for Trend ServerProduct CVS Admin Log Format.
[by request] Enhanced Netscreen IDP format to handle a slight variant.
[by request] Added support for Netgear Security Log Format.
[by request] Improved Interscan Messaging Security Suite Log Format to a handle a slight variant.

Version 6.5.7, shipped January 25, 2004

Bugs fixed in version 6.5.7:

[by request] Fixed a bug where the built-in web server did not respond properly to HEAD commands.
[by request] Fixed a bug where date/time fields were not handled properly in some formats, including Squid with epoc timestamp, resulting in all log entries being rejected.
[by request] Fixed a bug in the mmmmm/dd/yyyy date format which caused some dates to be ignored.
[by request] Fixed a bug where view URLs of the format rfcf+configname+cm+vs did not trigger an auto-update-on-view.

New features in 6.5.7:

[by request] Fixed Netscape Directory Server to handle a positive time zone offsets. Removed the default renaming of "method" to "operation", which could cause problems in log formats which had both.
[by request] Added support for Symantec Enterprise Firewall log format.
[by request] Improved Unix Syslog format to handle a couple small variants.
[by request] Improved PIX Firewall format to support a slight variant.
[by request] Enhanced Cisco VPN Concentrator format to handle formats with data split across multiple lines.
[by request] Added support for Cisco Access Control Server log format.
[by request] Improved Microsoft Media Server Log Format to handle a slight variant.
[by request] Added support for NVDcms log format.
[by request] Added support for Firewall-1 Log Viewer 4.1 Export Log Format.
[by request] Improved "alphabetical" table sort to ignore leading whitespace.

Version 6.5.6, shipped January 11, 2004

Bugs fixed in version 6.5.6:

[by request] Fixed support for WebSTAR log formats-- search engines and search phrases were not being properly reported.
[by request] Fixed a bug where submitting some forms (in particular the "Make This Data Available" button) could generate a strange error with some browsers.
[by request] Fixed a serious bug where the "update" and "rebuild" links (and auto-update-when-older-than) did not work in CGI mode, and clicking them could cause an arbitrary number of processes to be created, possibly overloading the system where Sawmill was installed.
[by request] Fixed a bug where for certain log formats (including Eudora Internet Mail Server), Sawmill would get confused about the date format, and would reject valid log entries.
[by request] Fixed a bug where the pie chart legend for the last row in the table was sometimes gray when it should have been colored.
[by request] Fixed a bug where Sawmill could use too much memory, and generate strange errors, when DNS was turned on in some cases.
[by request] Fixed a bug where progress information was not displayed for background database builds, like those started from the "update" and "rebuild" links in the statistics.
[by request] Fixed a bug where adding an extra "filter" option after view+config in the URL did not apply the filter properly.

New features in 6.5.6:

[by request] Improved Postfix log format to handle a variant.
[by request] Improved Cisco Router log format to extract more information from the messages.
[by request] Added support for Minirsyslogd log format.
[by request] Improved Cisco Router format to handle a slight variant.
[by request] Added support for WebSEAL Error Log Format.

Version 6.5.5, shipped December 13, 2003

Bugs fixed in version 6.5.5:

[by request] Fixed a bug where if session memory was exceeded in the Paths Through A Page view, no error would be generated.
[by request] Improved/fixed active FTP transfers so they choose the client connection port in a way that ensures it isn't still "lingering" from the last time; this eliminates a bug which could happen on some systems, where an attempt to rebuild or updated immediately after a previous build/update would fail with an FTP error.
[by request] Fixed a bug in ISC DHCP Log Format which could cause an error when creating a configuration.
[by request] Fixed a bug where expiration expired the highest-numbered day in the database (usually the last day) even when it shouldn't, in some cases.
[by request] Fixed a bug where turning on DNS lookup
[by request] Fixed a bug in the Microsoft Media Server log format plug-in which caused the number of visitors to always be 1.
[by request] Fixed a bug which could cause crashes when resolving IP addresses.
[by request] Fixed Squid (syslog required) log format to handle usernames and mime types properly.

New features in 6.5.5:

[by request] Added support for "Microsoft ICF Log Format" log format.
[by request] Added support for Zyxel Firewall WELF format.
[by request] Added support for BroadVisionError log format.
[by request] Added support for Cisco NetFlow log format.
[by request] Added support for ISC DHCP log format.
[by request] Improved "iPlanet Messaging Server 5 MTA Log Format" to handle a slight variant.
[by request] Renamed the "time spent per page" view to "session pages", and added a columns showing the number of sessions that visited each page; also, changes the page views column to be visible by default (it used to be off by default, available as an Option).
[by request] Added support for Norton Personal Firewall 2003 Connection Log Format.
[by request] Improved FTP progress indicator to show which file is being downloaded.
[by request] Fixed a bug where if a field value in the log data was a single double-quote ("), it could cause a crash while processing the log data.
[by request] Locked down browse_only mode a little more by eliminating the options to rebuild/update a database from the statistics, even when logged in as administrator.
[by request] Added support for Symantec AntiVirus Corporate Edition 8.0 Log Format.
[by request] Added support for NetKey Log Format.
[by request] Added support for Cisco Border Manager Log Format.
[by request] Added support for Unicomp Guinevere Virus Log Format.
[by request] Improved table toolbar to dim the "10 rows" button if there are less than 10 rows.
[by request] Added support for Firewall-1 (fw log -ftn export) Log Format.

Version 6.5.4, shipped November 08, 2003

Bugs fixed in version 6.5.4:

[by request] Fixed a bug where when both FTP and DNS were being used, they could step on each other's sockets, causing networking errors.
[by request] Fixed a bug where database expiration did not work at all in some cases, adding data to the database instead of removing it.
[by request] Fixed a bug which could cause a crash if the last character of a configuration file was a #.
[by request] Fixed IAS log format to work properly with the new allow_spaces_in_listed_field_values option.
[by request] Fixed view and subview editing so the "incremental" checkbox was used and saved properly.
[by request] Fixed a bug where if an item contained an asterisk (*), and it was used in a statistics filter, it would cause an error.
[by request] Fixed a bug where referrer, referrer description, search engine, and search phrase fields were not automatically added to the database when a referrer field was present in W3C log data (and other data with a field header).
[by request] Improved Helix Universal log format to handle negative GMT offsets and spaces in URLs.
[by request] Fixed a bug where if there was no maximum session duration for a configuration (which is rare) then the last session in the data would be ignored.
[by request] Fixed a bug where if the default configuration had been modified to turn on visitor tracking by default, and a W3C log (or other log with field headers) was being analyzed, then an error would occur ("multiple visitor id fields").
[by request] Fixed a bug where if field values contained pointy brackets (greater than or less than signs), quotes, or certain other characters, the generate HTML statistics could be displayed incorrectly in some browsers.
[by request] Fixed a bug where some older IIS configurations did not trigger the 6.4-to-6.5 converted, and therefore showed only 1 visitor in the statistics.
[by request] Improved instant messanging formats so they don't show screen info or worm fields, which are meaningless for those formats.
[by request] Fixed (again) a bug where Blue Coat IM format did not report sessions properly.
[by request] Fixed a bug where sessions tracked was not enabled properly unless visitor tracking was also turned on.
[by request] Fixed a bug where the "rebuild" link in the statistics actually updated the database, rather than rebuilding it.
[by request] Fixed a bug in SonicWall5 log format plugin which caused an error without reading logfile translated properly.
[by request] Fixed a bug where certain log filter values were English and were not translated properly.
[by request] Fixed a bug where the Instructions were missing from many of the views.
[by request] Fixed a bug where all individual IP numbers appeared as part of the hostname hierarchy, under the "IP Numbers" item, when omit_ip_numbers_from_host_hierarchy was true. Now, it correctly shows the IP Numbers item, but with no subitems-- IPs are omitted as they should be.

New features in 6.5.4:

[by request] Improved Interscan Proxy Log Format log format to handle a slight difference.
[by request] Added support for Critical Path Mail Server log format.
[by request] Added support for BroadVision Observation log format.
[by request] Added username tracking to Blue Coat RealMedia log format.
[by request] Added support for Novell NetMail Log Format.
[by request] Improved iMail to track source and destination emails by domain.
[by request] Added support for N2H2 Sentian Log Format.
[by request] Added a feature to automatically open or view the single configuration in the list, if there is only one, when Open Configuration or View Statistics is clicked in the Administrative Menu.
[by request] Added support for iPlanet Messaging Server 5 MTA Log Format.
[by request] Improved Blue Coat Custom log format so it includes information about all log fields in the database, not just those known by the log format plug-in.
[by request] Added support for Ascend Log Format.
[by request] Added support for Siteminder WebAgent log format.
[by request] Added support for Windows 2000 event log CVS export log format, Windows 2000 event log "Save" log format, and Windows NT event log CVS export log format.
[by request] Added support for x-localtime field in W3C logs.
[by request] Added support for FortiGate log format.
[by request] Improved Blue Coat IM log format in several ways, to report better who messages are sent from and to, and to eliminate some meaningless reports (including worms).
[by request] Added support for uw-imap log format.
[by request] Added support for Tellique log format.
[by request] Added support for XMail SMTP log format.
[by request] Improved the built-in HTTP/1.1 server to handle the "100 Continue" message in a way more in line with the latest HTTP/1.1 specification (it now honors the "Expect: 100-continue" request from HTTP clients). This *may* eliminate some issues where pages were not loading properly, and should in general improve compatibility with modern web browsers.
[by request] Added support for Tivoli Storage Manager TDP for SQL Server log format.
[by request] Added support for WallWatcher log format.
[by request] Added support for Cisco SCA log format.
[by request] Fixed several problem with Netscreen IDP log format, which prevented it from being analyze properly in most cases.
[by request] Added support for NetForensics Syslog Format.
[by request] Fixed a bug where background updates (like the one generated by clicking "update" in the statistics) would display output and progress information on the command line.
[by request] Fixed a bug where errors during background updates (like the one generate by clicking "update" in the statistics) were not reported properly.
[by request] Added support for Cognos Powerplay Enterprise Server log format.
[by request] Added support for EzProxy log format.

Version 6.5.3, shipped October 12, 2003

Bugs fixed in version 6.5.3:

[by request] Fixed a bug where IM sessions were not reported properly.
[by request] Fixed a bug where Sawmill could crash when running out of memory.
[by request] Fixed a problem with SonicWall format which could result in some fields being mis-reported.
[by request] Improved/fixed the automatic creation of database field for log formats like W3C and WebSTAR (formats which use fields headers) to work in more cases, and to handle cases where multiple fields of the same type exist.
[by request] Fixed a bug where when tallying hits on complete IPs, Sawmill would treat each octet in the IP as a character (using its ASCII code), and would compare them case-insensitively, with the result that IPs like 123.124.125.71 and 123.124.125.103 were treated as equal (because 71 is ASCII for G, and 103 is ASCII for g), and all hits from either IP would be grouped under one of the two IP, but would not be reported separately.
[by request] Fixed a bug in Squid (syslog required) log format which prevented the last few fields in the line from being extracted properly.
[by request] Fixed a bug in IIS SMTP W3C log format where sessions information was apparently (incorrectly) available.
[by request] Fixed ISA W3C log format, which was generating errors about duplicate fields.
[by request] Fixed a bug in Websweeper log format which caused it to generate an error when processing log data.
[by request] Fixed a bug where the "rekey" operation (used to parse certain complex log formats) was not working properly when the key contained uppercase letters.
[by request] Fixed a bug where the 404s view did not appear for W3C log data.
[by request] Improved the 6.4-to-6.5 configuration converter to work properly with more W3C configurations.
[by request] Changed automated updates and updates generated by the "update" and "rebuild" links so they run as separate processes, rather than running two tasks (the update and then the view) in a single process. This reduces the chance of memory conflicts between the two tasks, eliminating some sources of database corruption.
[by request] Fixed bug where the "View to send by email" menu only showed visible views.
[by request] Fixed a bug where the "incremental HTML generation" feature did not correctly determine when data needed to be regenerated.

New features in 6.5.3:

[by request] Added allow_spaces_in_listed_field_values option, which allows there to be spaces in name=value pairs in log data.
[by request] Improved/fixed SonicWall Alternative Log Format to handle tabs as well as spaces, and other small improvements.
[by request] Added support for NetGear FR328S Log Format.
[by request] Added support for bpft4 format.
[by request] Improved Quicktime Streaming Server log format support to automatically set up database fields and views.
[by request] Improved Snort log format to categorize the "rule" field in English.
[by request] Added support for Snort 2 log format.
[by request] Added support for MailSweeper (long) Log Format.
[by request] Added support for "active" mode FTP transfers (previously, Sawmill supported only passive), and made that the default, and added an option to choose which to use. This should solve an increasingly frequent problem where some firewalls or routers were blocking passive FTP transfers (but allowing active).
[by request] Added support for IIS SMTP Common log format.
[by request] Added support for SmoothWall log format.
[by request] Improved Postfix log format plug-in to handle Postfix 1.x logs.
[by request] Added support for SimpleDNS log format.
[by request] Enhanced the expiration feature to that any date/time filter set can be used to expire data (not just "old than X"). This makes it possible to remove sections of data that are corrupt, and re-add them.
[by request] Added a process_previously_seen_data option which forces all data in the log source to be added on update, even if it has been seen before. This can be used together with the enhanced expiration feature to, for instance, remove a month of corrupt data from a log-term database, and add it back in easily.

Version 6.5.2, shipped September 14, 2003

Bugs fixed in version 6.5.2:

[by request] Fixed a bug where the Start Over link was broken in generated HTML files.
[by request] Fixed a bug where W3C log field names were not properly converted when using a 6.4 configuration with 6.5.
[by request] Fixed a bug where clicking a hostname which had no page views, and then switching to the session information, would cause an internal error.
[by request] Added support for POP tracking in MailerDaemon log format; added categorization of sessions into POP, IMAP, and SMTP.
[by request] Fixed a bug where Sawmill would try to create the logo.gif file in the installation directory, resulting in a "Can't create file logo.gif" error in CGI mode if the CGI directory was read-only.
[by request] Fixed a bug where if the selected date range was entirely outside the range of data in the database, the Overview (and possibly other views) would display strange results, or show an Internal Error.
[by request] Fixed a bug which could cause a crash while creating a configuration for certain circumstances (including IIS logs).
[by request] Fixed a bug which could cause crashes while processing log data, especially if DNS lookup was turned on.
[by request] Fixed the error message you get when you try to use a 6.4 license with 6.5; previous versions would report an expired license with a very old year.
[by request] Fixed a bug where the -laid option did not work when running in web server mode from the command line.
[by request] Fixed a bug where compound filters selected by checking multiple boxes in the Filter Editor did not work properly.
[by request] Fixed a bug where clicking a "sort column header" link in a multi-subview view (like Single-page summary) did not work properly.
[by request] Fixed a bug where clicking the "sort column header" link in the session visitors view could cause a crash.
[by request] Fixed bug where alphabetical sort was not available in the Session visitors view.
[by request] Fixed Lucent Brick log format, which was extracting fields incorrectly.

New features in 6.5.2:

[by request] Enhanced Declude Virus log format support to handle a slight variant.
[by request] Improved the "Session visitors" view to include a "sessions" column showing how many sessions each visitor contributed.
[by request] Added support for MailScanner Log Format (testfase) format.
[by request] Enhanced IAS log format to support 5000-class error codes; added ip:source-ip, ip:source-port, ip:destination-ip, and ip:destination-port to the default fields list.
[by request] Added support for Intermapper Outages log format.
[by request] Added a new "auto" time format (for log format creation), which automatically handles most standard time formats.
[by request] Improved Apache Custom log format to create database fields automatically (like W3C) based on the log fields; this allows easy analysis of unknown (custom) fields in Apache Custom log files.
[by request] Added support for Netscreen IDP log format.
[by request] Fixed ISA W3C log format, which was not naming fields correctly under the new auto-W3C-setup feature.
[by request] Added support for Stonegate log format.

Version 6.5.1, shipped August 23, 2003

Bugs fixed in version 6.5.1:

[by request] Improved/fixed DNS queries to ask for only PTR responses; this improves the number of successful DNS queries.
[by request] Fixed a bug where if there were multiple subviews in a view, and one of the subviews did not have a matching single-subview view elsewhere, then the items in that subview would not be linked.
[by request] Fixed a bug where certain DNS queries (those with two answers, where the first wasn't a PTR or A) would be seen as failed lookups, even if they weren't.
[by request] Fixed a bug where clicking "remove" in the Filter Editor would take you back to the statistics without removing the Filter.
[by request] Fixed a bug where the Date header in the HTTP response would be garbled in certain cases (including certain Italian versions of Windows XP).
[by request] Fixed a bug on Tru64 UNIX where builds could terminate with a divide-by-zero error.
[by request] Fixed a bug where the "Day by day" checkbox did not properly add date/time cross-reference with IIS W3C log format.
[by request] Fixed a bug where screen depth/size info was not tracked properly for IIS W3C logs.
[by request] Fixed a bug where FTP log sources would fail, generating "errors" that were just normal FTP server responses, when the server was using multi-line responses.
[by request] Fixed a bug where the shortcut was wrong for the new "remove_reloads_from_sessions" option, resulting in documentation errors and other problems.

New features in 6.5.1:

[by request] Updated GeoIP database to version 352. This will cause a new GeoIP database download (14 Meg) the first time a database is built with this new version.
[by request] Added support for Privoxy Log Format.
[by request] Improved country/region/city reporting so it omits "unknown" regions, which are often associated with large metro regions.
[by request] Limited the number of items displayed in the "Edit Filter" page to 1000, to keep it from being too slow. If more than 1000 items are available, it will display a button that shows them all.
[by request] Added a warning message to the login page when Sawmill detects the Safari web browser is being used with an IP URL-- Safari contains a bug which prevents login information from being saved properly in this case.
[by request] Improved DNS caching so it saves failed lookups in the memory cache, but doesn't save failed lookups in the disk cache-- this allows Sawmill to keep trying to lookup failed IPs once per build without slowing things down by trying to do it on every line where they occur.
[by request] Added support for Vidius Combined Log Format.

Version 6.5.0, shipped August 13, 2003

Bugs fixed in version 6.5.0:

[by request] Fixed bug where clicking Back after editing a particular statistics filter, and then clicking Apply Filters, would re-edit the filter.
[by request] Fixed a bug where custom hierarchical fields were grouped incorrectly in some cases.
[by request] Fixed bug where Snort format did not work with certain syslogs.
[by request] Fixed bug where GNATbox syslog was not always detected properly.
[by request] Fixed a bug where Webtrends Extended log format conflicted with Kiwi log format over who got to track the "priority" field, resulting in an error when they both tried to.
[by request] Fixed bug where country/region/city information would sometimes be garbled.
[by request] Fixed a problem with the date getting corrupt in the accept_carryover scenario.
[by request] Fixed a bug where, with certain log formats (including iMail), when Sawmill accepted the "orphan" log entries that had never been accepted before, it would not run the Log Filters on them, resulting in log entries appearing in the database which violated the Log Filters rules.
[by request] Fixed a parsing problem in Unix Sendmail log format.
[by request] Fixed a bug where statistics filtering did not work properly in some cases if filters were applied simultaneously to two or more fields.
[by request] Fixed a bug where "week" links in the Calendar did not work properly.
[by request] Fixed a bug where if there was no date/time database field, all log entries would be rejected.
[by request] Fixed a bug in Microsoft Exchange 2000 log format to accept only if message processing ends.
[by request] Fixed a bug where senders were not reported in McAfee WebShield log format.
[by request] Fixed a bug where the Sort menu of the "Session visitors" view did not contain an option to sort by duration, and did contain a few options that did not make sense.
[by request] Fixed a bug where CGI mode did not return pages on Windows.
[by request] Fixed a bug where applying a session filter, and then removing non-session filters, could generate an error about "unknown session ID".
[by request] Fixed a bug where in some cases, session information would not be tracked, even when it was enabled in the configuration.
[by request] Fixed a bug which could cause crashes while analyze some log data with the GeoIP database.
[by request] Fixed a bug where items would disappear from the Task List after 10 minutes.
[by request] Fixed a bug where filter values containing commas could cause errors.
[by request] Fixed a bug where the 95th percentile calculation could crash if there was just one data point in the graph.
[by request] Fixed bug where attempting to sort the "Individual sessions" view chronologically would generate an "internal error".
[by request] Fixed a bug where the "session visitors" table in the Single-page summary was actually a time-spent-per-page table.
[by request] Improved and fixed Netscape format support so it sets up database and log fields intelligently (and correctly!).
[by request] Fixed detection of Generic CSV format. Fixed detection of date and time fields in Generic CSV format.
[by request] Fixed a bug where Sawmill would incorrectly detect the IP address on MacOS X. in some cases.
[by request] Fixed a bug where Sawmill would skip some lines (those with + in the time) in Lucent Brick log format.
[by request] Fixed a bug which could cause a crash while regenerating HTML files.

New features in 6.5.0:

[by request] NOTE: This list includes all changes since 6.4, including the changes from each 6.5 beta version. Many of the bugs listed here may be intra-beta changes; e.g. they may have been introduced in one beta version and fixed in a later one, rather than being bugs in the 6.4 branch.
[by request] Version 6.5 uses new licenses. You will need to get a 6.5 format license to use this (or use a 30-day trial license). Contact ferrar@flowerfire.com to upgrade your license from 6.4 or earlier.
[by request] Added support for Squid Common format.
[by request] Improved iPlanet Error format to extract hostname, type, and other message information.
[by request] Added support for Cisco IDS Netranger logformat.
[by request] Added support for "Kiwi (mm-dd-yy dates, with type and protocol)" syslog format.
[by request] Added support for GFI Attachment & Content logs. Added support for GFI Spam logs. Extended support for IPTraffic log formats.
[by request] Added support for IPTraffic LAN Statistics, and IP Traffic TCP/UDP Services log formats. Extended support for IPTraffic log formats.
[by request] Added support for decimal seconds on mm/dd/yyyy hh:mm:ss.sss.
[by request] Added support for Win2KPerformance Monitor.
[by request] Extended support of Microsft Exchange Log to only count messages that are sent not just queued and to count multiple recipients.
[by request] Added support for Free Radius Detail Log.
[by request] Improved default_log_date_year option so it uses the current year by default.
[by request] Added support for Lucent Brick log format.
[by request] Added a new log filter type; convert_field_map, which maps specific field values to specific other field values; i.e. you can remap 1->cat, 2->dog, 3->lemur, etc.
[by request] Added support for Bind 9 Log Format.
[by request] Added support for WebSEAL Authorization (XML) Log Format.
[by request] Added explicit support for WebSTAR W3C Log Format (it was already supported indirectly through the Generic W3C Web Server Log Format).
[by request] Extended support of CiscoVPNConcentrator logs formats Unix Syslog.
[by request] Added support for IAS Alternate Log Format.
[by request] Added support for mm/dd/yyyy variant of Interscan Proxy Log Format.
[by request] Improved Interscan Proxy plug-ins to report virus activity.
[by request] Added support for Filemaker 3 Log Format.
[by request] Added lock_database_when_in_use option.
[by request] Added support for iPrism Log.
[by request] Added support for NetScreen Traffic Log.
[by request] Added support for Squid log format (syslog required).
[by request] Extended support for Cisco PIX/IOS logformats to collect information from audit lines.
[by request] Added support for Sawmill Task Log format.
[by request] Added support for ISC DHCP log format.
[by request] Improved EIMS SMTP format to track domains/emails hierarchically.
[by request] Improved Cisco VPN Concentrator format to work with a wider variety of syslogs.
[by request] Added support for ipfw log format.
[by request] Added support for Borderware log format.
[by request] Added support for Unix Syslog With Year format.
[by request] Extended Kiwi dd/mm/yyyy format to handle Kiwi UTC dd/mm/yyyy format too.
[by request] Extended support of Communigate Pro logformat.
[by request] Added tracking of regions and cities, using the GeoIP database.
[by request] Created a SidewiderSyslog and a SidewinderFirewall plugin pair to support a SidewinderFirewall format.
[by request] Changed Postfix logformat to accept only on sent messages.
[by request] Extended support of ImageMaker Microtech Media log more variations.
[by request] Extended support of Merak SMTP log.
[by request] Added support for Lyris MailShield log format.
[by request] Added support for Windows Event (Tab Delimited) log format.
[by request] Added support for XMail Spam log format.
[by request] Added support for d/mmm/yyyy as dd/mmm/yyyy.
[by request] Extended support if IPMon format to work as a syslog_required format.
[by request] Extended support for a time format without leading zeroes.
[by request] Added for WAP Log format.
[by request] Added support for MicroTech Image Maker Media Log format.
[by request] Added support for MicroTech Image Maker Error Log format.
[by request] Added support for eManager Spam Filter Log Format.
[by request] Added support for SonicWall Alternate Log format.
[by request] Added support for Kerio Network Monitor Log format.
[by request] Improved the Postfix log format plug-in to work with arbitrary syslogs.
[by request] Improved Lyris MailShield log format to handle many specific types of messages (including spam blocking messages).
[by request] Improved Mail Daemon Log Format to handle SMTP lines.
[by request] Changed the "Report It" bug reporter to use HTTP instead of SMTP to send bug reports-- this works better when reporting bugs through some firewalls.
[by request] Fixed a bug where if a field value contained a comma or semicolon, Filters would not work properly for that value.
[by request] Improved hh:mm:ss time parser to accept non-colons between the numbers. This allows Sawmill to handle a Kiwi syslog variant which uses periods.
[by request] Extended support for Netscreen log.
[by request] Improved WUFTP log format to handle a slight variant.
[by request] Added support for Miva Common Access log format.
[by request] Added a new "Rename Configuration" option to the administrative menu, which changes the name of an existing configuration. Unlike the "Save As" option in the Configuration Menu, this deletes the original configuration (after successfully writing the new one), and moves the database over from the old configuration to the new.
[by request] added support for RadiusAccounting Log II.
[by request] Improved DNS lookup so it looks up *all* IP addresses, not just those in the "host" field. Previous version would only look up IP addresses for one field-- the one whose type was "host" in the Log Fields tab. Sawmill now looks at all fields when DNS is on, and resolves all IP addresses.
[by request] Extended support of UnixSendmail logs.
[by request] Added support for msg= bandwidth in WELF logs.
[by request] Extended support for Netscreen logs.
[by request] Added support for SyslogYYYYMMDDHHMMSS.
[by request] Added support for SmartMaxSMTP & SmartMaxPOP logformats.
[by request] Added support for Kiwi (mmm/dd dates, hh:hh:ss.mmm UTC times) syslog format.
[by request] Added support for NetScreen Syslog Log Format.
[by request] Added support for Sophos Mail Monitor for SMTP Log Format.
[by request] Added ignore_newlines_after_log_line_regexp option, which makes it possible to create log format plug-ins that automatically combine certain consecutive lines into single lines on-the-fly (useful if a KEY field on one line is needed to parse the next line).
[by request] Added support for WinSyslog log format.
[by request] Added support for Youngzsoft CCProxy log format
[by request] Added support for Microsoft Exchange Internet Mail Log formats.
[by request] Added support for IIS SMTP Log formats.
[by request] Added a new "Session visitors" view which shows the visitor ids from the session information, along with the number of page views and total time spent for each.
[by request] Improved export of "Single sessions" view so it exports the clickstream also.
[by request] Improved Interscan Email Viruswall format to report "Forwarded" messages.
[by request] Added support for Seconds since Jan 1 1970 timestamp syslog. Extended support for Squid syslog required log format. Extended support for Webtrends syslog required & syslog log formats.
[by request] Improved the layout of the Session Filters description (at the left of the Session Filters editor).
[by request] Improved table headers so clicking a header name will re-sort the table by the corresponding field.
[by request] Extended support of Squid Common Log Format.
[by request] Added support for iPrism-rt, iPrismMonitor, Webtrends syslog, Webtrends syslog required log formats.
[by request] Improved Cisco PIX/IOS format to extract IDS error messages better.
[by request] Improved instructions for "top countries/regions/cities" view, and added a section in the documentation on using the GeoIP database.
[by request] Improved Bind 9 Query log format to handle a slightly variant.
[by request] Added support for Firewall1 Next Generation Full logformat.
[by request] Added support for another (brand currently unknown) syslog format.
[by request] Added support for Firewall1 Next Generation General logformat.
[by request] Added support for AladdinEsafeGateway logs.
[by request] Extended support for CiscoVPNConcentrator logs.
[by request] Added support for IIS log with mm/dd/yyyy dates.
[by request] Improved line parser so it strips off linefeed and newline characters at the end of blank lines; this makes it possible to write parsing filters that identify blank lines (for instance, to accept on blank lines).
[by request] Improved iPlanet Error Log Format to handle a slight variant.
[by request] Extended Support for EIMSSMTP logformat.
[by request] Improved "Generate HTML Files" so it updates an existing HTML files set incrementally. Previous versions of Sawmill would generate all files every time. Now, Sawmill breaks the files down by date grouping (year/month/week/day), and only regenerates a group if the number of hits/pageviews/visitors/bytes have changed since the last generation. This gives the same results as the previous version, but can be much faster if the changes are small (or if there are no changes).
[by request] Added support for Helix Universal log format.
Fixed a bug where the column headers were links even when the page was an offline page.
[by request] Added support for "Windows Event Log (dumpevt.exe export)" format.
[by request] Added support for "Timestamp (mm dd hh:mm:ss)" syslog format.
[by request] Enhanced Cisco VPN Concentrator format to track "visitors" (unique users) and "session" information (including individual user sessions and time connected).
[by request] Added support for InterScanViruswall log format.
[by request] Enhanced W3C and CSV "generic" log format plug-in so it builds the list of database fields from the detected log fields; this allows Sawmill to analyze W3C logs which have log fields it has never seen before.
[by request] Added support for Websweeper log format.
[by request] Extended Kiwi/ISO syslog format to handle a slight variant.
[by request] Extended support for SnortStandalone.
[by request] Added support for MailSweeper log format.
[by request] Added support for WatchGuard log format (with arbitrary syslog).
[by request] Improved browser identifier to better identify IE, Netscape, Mozilla, Chimera, Phoenix, Opera, Safari, and other major browsers.
[by request] Added support for Separ URL Filter Log Format.
[by request] Added a command-line documentation blurb which is printed when Sawmill is run with just --help, -help, -?, and a few other variants.
[by request] Added support for Unicomp Guinevere log format.
[by request] Added support for LSMS Admin log format.
[by request] Added support for Kiwi Cattools Port Stat log format.
[by request] Changed web server mode binding behavior so it binds to 0.0.0.0 when no server_hostname is specified. Previous versions would bind to the first server IP, which was sometimes difficult to determine; binding to 0.0.0.0 causes Sawmill to bind to *all* interfaces, so at least http://127.0.0.1:8987/ (the loopback interface) is guaranteed to work. It still prints the first IP of the server, as well as it can compute it, but if it gets it wrong, you can use the actual IP and it will work, without having to reconfigure Sawmill to tell it what that IP is.
[by request] Added support for Iplanet Messenger Server 5 log format.
[by request] Added support for InterScanSecuritySuite log format.
[by request] Added support for WinProxy Alternate log format.
[by request] Added support for "Generic CSV" log format, which handles all types of CSV files somewhat intelligently, even if it doesn't know the fields in advance or what they represent.
[by request] Modified the gnatbox logformats so that they are syslog & syslog required format combinations.
[by request] Extended support for MicrosoftExchange2000.
[by request] Added support for SL4NTDDMMYYYY.
[by request] Improved SonicWall format to track page views and session information, by building the URL from the proto, dstname, and arg fields.
[by request] Extended UnixSendmail log format to support rejects .
[by request] Improved the Filter Bar display in the statistics to include a dark sidebar and other ways to bring attention to the fact that Filters are active.
[by request] Added support for Imail7 log format (syslog required).
[by request] Added support for VeritasNetackup log format.
[by request] Added support for Intel NetStructure VPN Gateway log format.
[by request] Added support for Exim log format.
[by request] Improved Bulletproof "sessions" log format to handle multiple download lines.
[by request] Added support for Yamaha RTX log format.
[by request] Added support for SpamAssassin log format.
[by request] Added support for Shorewall log format.
[by request] Added a new "skip most recent file" feature which skips the log file which has been most recently modified, when processing log data. This is useful when attempting to optimize log processing performance by skipping previously-seen files by filename-- in IIS and other situations, we don't want to process (and later skip) the most recent file because it's still being built.
[by request] Added support for Arcserve NT Log Format.
[by request] Enhanced the "allow empty log source" option to skip non-existent directories and files in the log source (files which were there when the build began, but disappeared during the build), without an error.
[by request] Added support for Bulletproof/G6 FTP format with dd/mm/yyyy dates and 24-hour times.
[by request] Added support for Helix Univeral format.
[by request] Improved/fixed support for Microsoft Media Server, to track all fields automatically.
[by request] Added support for Cisco Access Register log format.
[by request] Improved PIX/IOS format to handle a different line format.
[by request] Added support for Watchguard Firebox Export header format.
[by request] Improved Bulletproof FTP log format to handle a variant where RETR lines are replaced by "started download" lines. Also improved bandwidth tracking to handle KB notation.
[by request] Improved Watchguard format to accept multiple spaces between fields.
[by request] Extended NetScreen Traffic Log format to handle either spaces or arrows (->) between some fields.
[by request] Added support for Watchguard SOHO log format.
[by request] Improved NetScreen Traffic Log to handle translated addresses and ports, when present.
[by request] Added support for htdig log format.
[by request] Added support for Windows Event Log Format (ALTools export).
[by request] Added support for PostWorks IMAP format.
[by request] Added support for PostWorks POP3 format.
[by request] Added support for PostWorks SMTP format.
[by request] Improved Merak POP/IMAP format to support USER lines.
[by request] Added support for tcpdump log format with no command-line options.
[by request] Added automatic transfer of "summary" filter value to a "session" visitor id filter when it seems appropriate. Sawmill now looks through all normal statistics filters to see if there is any field which is a single filter item, where that item is a known visitor id value. If there is such a filter, and if there are no session filters active, the session filters are set to show only sessions for that visitor id. This provides a simple way to apply visitor id session filters through the view corresponding to the visitor id field ("Top visitor domains/hosts", "Top users", or whatever it happens to be for a particular log format.
[by request] Added an omit_database_fields option (intended for use in log format plug-ins) which allows some log fields to be explicitly omitted from the database fields, in formats where the log and database fields are automatically generated.
[by request] Added visitor_name option, which makes it possible for the term "visitor" to change for formats (like proxy servers) where the term "visitor" isn't appropriate. This option is used when creating log format plug-ins.
[by request] Improved IIS Web log format plug-in to use the new "generic W3C" features, so its log and database fields are generated automatically.
[by request] Added support for Netscape Extended log format.
[by request] Added support for Firewall1Webtrends logformat.
[by request] Added support for Netwall logformat.
[by request] Tightened autodetect expression for Generic CSV.
[by request] Improved handing of FTP log source where hostname is entered as hostname/path.
[by request] Added a new $notsupported option which removes the entry/exit page views and other session-page-related views, for formats where there isn't really a concept of a "page" in the session information.
[by request] Added support for Blue Coat IM log format.
[by request] Added new "session logout regular expression" option, intended for use when creating a log format plug-in for a format which has session information and has a "logout" operation in the session information (unlike most web logs, which have no logout operation, requiring the use of a timeout to determine session endings). This allows for more accurate tracking of sessions for these types of logs, including Cisco VPN logs.
[by request] Improved session information by eliminating duplicate sequential page views in a single session, so reloading a page (or having the browser reload it) will not result in multiple events in the session displays.
[by request] Improved progress page to show major and minor operations in progress, even when "Details" is collapsed.
[by request] Improved detection of W3C and other log formats with format headers, so many more field names are converted to their "human readable" equivalents, and database fields and views are set up automatically for those fields, even if the fields are not explicitly mentioned in the log format plug-in.
[by request] Added automatic download of the GeoIP database file when it is first needed.
[by request] Improved the convert_field_map Log Filter type so it can handle maps stored in text files.
[by request] Enhanced country/region/city detection so region is reported by its FIPS name, rather than its FIPS code.
[by request] Improved WUFTP log format to handle a slight variant.
[by request] Improved Cisco VPN Concentrator log format to handle a variant.
[by request] Added support for Firewall-1 NG formats with any fields (added support for parsing FW1 NG headers, and building log and database fields lists from them).
[by request] Added support for NetGear log format.
[by request] Improved iPrism (with syslog) log format plug-in to fix several typos and add support for session information, and support a slight variant.
[by request] Added support for Microsoft ISA CSV format.
[by request] Added support for Bulletproof FTP log format with d/m/yy dates and 24-hour times.
[by request] Added support for WinGate log format with dd/mm/yy dates.
[by request] Added support for iScan log format.
[by request] Added support for y/m/d date format.
[by request] Added support for IIS (yy/mm/dd dates) log format.
[by request] Added support for Ingate Firewall log format.
[by request] Added a new date format, "auto", which attempts to auto-detect the date.
[by request] Improved iptables format to work with any syslog.
[by request] Improved Radius ACT support to use the new auto-date and generic CSV features (which lets it analyze a wider range of Radius logs, and adds reporting of only those fields which are actually present in the logs).
[by request] Added support for Bind 9 Query logs with any syslog.
[by request] Added support for Foundry BigIron log format.
[by request] Added support for Riverstone Router log format.
[by request] Improved GeoIP download so if www.sawmill.net can't be resolved, it tries the IP address, and if the HTTP connection fails, it fails quietly and just doesn't include GeoIP information in the build.
[by request] Added an option to turn off GeoIP for a configuration, so the GeoIP database doesn't have to be downloaded.
[by request] Added support for a variant of Lucent Brick format.
[by request] Added support for Snort Standalone log format with mm/dd/yy dates. Improved Snort standalong formats to extract interface when available.
[by request] Added support for NTsyslog format.

Version 6.4.8, shipped June 15, 2003

Bugs fixed in version 6.4.8:

[by request] Improved session information so page views tracking "screen information" does not appear in the session views (e.g. paths through the site).
[by request] Fixed a bug where the DIRECTORY_WORD language module variable was not being translated properly.
[by request] Fixed a bug where the "server response" field name was not translated properly for non-English translations, resulting in an error when the Broken Links view was displayed.
[by request] Fixed a bug where some Solaris versions of Sawmill would display "alarm clock" errors on the command line.
[by request] Cleaned up statistics HTML slightly to make it more standard-compliant.
[by request] Fixed a bug where emailed views showed up as attachments in Outlook.
[by request] Fixed a bug where if the language module was out of date, and new options had been added since the previous version, Sawmill would generate an error while creating a configuration.
[by request] Corrected Blue Coat Squid log format plug-in so it expects fields in the places where Blue Coat puts them (some fields, including authenticated user, were not being extracted correctly).
[by request] Fixed a bug where the GUI component of Sawmill (Sawmill6CL.exe on Windows) did not honor a LogAnalysisInfoDirLoc file, if one was present.
[by request] Fixed a bug where the last session in the session information was not being properly discarded if its length was over the limit.
[by request] Fixed a bug where ipchains log format would fail to analyze data with a "regular expression" error.
[by request] Fixed a bug where double-quotes in field values would cause "command line log filters" to break.
[by request] Fixed a bug where if there was more than one field of type "hostname" defined in a custom log format string, Sawmill could get confused about which field was the "real" host field, causing it to structure the host field incorrectly (for instance, not showing only bottom-level items even if you had asked for it when the configuration was created).
[by request] Fixed a bug where HTTP log source URLs were not shown properly in the Log Source tab of the Configuration Options.
[by request] Fixed a bug where certain W3C log formats, including Blue Coat W3C with a "timestamp" field, would not process properly.
[by request] Fixed a bug which could cause crashes when viewing statistics if there was no date/time field in the database.
[by request] Added charset customization to emails, using the CONTENT_TYPE_CHARSET language module variable from the Stats module.
[by request] Fixed a bug where only one 30-day trial was allowed before the "Try Sawmill For 30 Days" button disappeared-- now two trials are allowed.
[by request] Fixed a bug where if visitor ids contained double-quotes, you could get an error trying to apply a session filter.

New features in 6.4.8:

[by request] Changed default view names so they wouldn't contain a slash (/). Internet Explorer insists on breaking lines at the slash, which caused some view buttons to span multiple lines even when there was no need for it.
[by request] Improved dmmmyyyy format to allow a leading space when d is one digit.
[by request] Added a new FILTERS_DESCRIPTION language module variable, which can be used in the subject of emails to describe the filters.

Version 6.4.8a, shipped June 15, 2003

Bugs fixed in version 6.4.8a:

New features in 6.4.8a:

[by request] Fixed a bug where if you had only an "unlimited" license, you would not be able to use any configuration because Sawmill would report that you were licensed for 0 configurations.

Version 6.4.7, shipped May 10, 2003

Bugs fixed in version 6.4.7:

[by request] Fixed a bug where some HTML tables were closed incorrectly, causing emailed statistics to render incorrectly in some mail clients.
[by request] Fixed a bug where the installer would not install all components properly on Windows 2003 (and sometimes failed on Windows 2000).
[by request] Fixed a bug where in CGI mode, the licensing page would generate a permission error if the CGI directory was not writable by Sawmill.
[by request] Fixed a bug where database expiration would sometimes fail, not modifying the database.

New features in 6.4.7:

[by request] Added a FAQ entry discussing log processing performance, and providing detailed tables of performance numbers of Athlon and SPARC.
[by request] Improved the configuration script's behavior (in the encrypted source distribution) in the case that there is no C++ compiler installed on the system.
[by request] Change the dots in the IP address in a temporary URL to underbars; this works around an issue where URLScan was being picky about URLs with too many dots.
[by request] Fixed a bug where in CGI mode on Windows, result pages could be truncated.

Version 6.4.6, shipped April 26, 2003

Bugs fixed in version 6.4.6:

[by request] Fixed a bug where if you rebuild a database where there was no log data, and the "allow_empty_log_source" option was true, it would result in a corrupt database.
[by request] Fixed a bug where the "database structure" page of the Create Configuration interview was not set from the Default Configuration's Database Structure tab.
[by request] Fixed support for %X directive in Blue Coat log format strings.

New features in 6.4.6:

[by request] Improved LSMTP format to handle logging with job number, event id, and egroup information.
[by request] Improved LSMTP format to handle a slightly variant.
[by request] Improved granularity of the reported bytes-per-second in the processing page, to show hundredths of a unit.
[by request] Improved the Task List so it shows whether processes are complete (and turns them grey id they are), and so it shows tasks during the "safe update copy" stage of database updates, and so it shows "stalled" next to tasks which may be stalled or terminated.
[by request] Added a new entry to the Database Info window showing which log format is in use.

Version 6.4.5, shipped April 21, 2003

Bugs fixed in version 6.4.5:

[by request] Fixed a bug where if the configuration file contained a space, export would fail on Mozilla.
[by request] Fixed bug where custom log format strings with single-quotes (') in them would cause an error.
[by request] Fixed a bug where the "hostname" field was not being extracted properly in W3C log formats in non-English installations, resulting in all visitor counts being 1.
[by request] Fixed a bug where if you logged in to a password-protected config, and then tried to go to another password-protected config without logging out, you would get the Administrator login. Now, it shows you the login for the new config.
[by request] Fixed a bug which could cause crashes while generating the "Paths through a page" view.
[by request] Fixed a bug where the "visitor id" sort did not work properly in the Individual Session(s) view.
[by request] Fixed a bug where updating a database that had never been build would not properly build the database (as it should).
[by request] Fixed a bug where if there were multiple date/time fields in Blue Coat Custom log format, Sawmill would reject all log entries.
[by request] Removed "Export All" link from the clickstream table, since it was redundant-- The clickstream table always shows all rows, so Export Table is the same as Export All.
[by request] Fixed a bug were exports of the Individual Sessions views could contain HTML in the CSV table header, if the Start Time or End Time columns were turned on.
[by request] Fixed a bug where generating the "Top weekdays, avg" view with Filters applied could generate an Internal Error.
[by request] Fixed a bug where Sawmill would not email a view that was "invisible offline".
[by request] Fixed a bug where if there was a double-quote in the "extra options" in the Scheduler, everything after the first double-quote would be stripped off.
[by request] Fixed a bug where if an error occurred during a database build, the database would be left in a state where it looked built to Sawmill (so "View Stats" was available), but it wasn't actually, so viewing would generate an error about a critical file being missing from the database.
[by request] Fixed a bug where error messages in bug reports had unreplaced variables like {QUOTEVAR:PARAM1}.
[by request] Fixed a bug where some of the values in the Sessions Overview would be random if there were no page views in the dataset.
[by request] Fixed bug where %X support was not working for Blue Coat Custom Log Format.
[by request] Fixed a bug which could cause an Internal Error (or a bunch of them) if a day_of_week_computed or hour_of_day_computed subview was used, and there was not day_of_week or hour_of_day database field (which shouldn't be necessary).

New features in 6.4.5:

[by request] Updated CiscoPIXIOS log format
[by request] Improved Options menu in multi-subview views (like Single-page summary) so it affects all subviews.
[by request] Added detection of Safari browser.
[by request] Improved Individual Sessions export so that if there is only one session (so the clickstream for that session is exported), the session list itself is omitted, and only the clickstream table is exported.
[by request] Added a new extra_session_columns option which adds addition columns to the Individual Sessions clickstream table. This option, together with specially- formatted Log Filters which append additional field values to the "page" field, make it possible to have any number of columns in the clickstream table, for instance to show the category of the hits, or the country, or anything else.

Version 6.4.4, shipped April 05, 2003

Bugs fixed in version 6.4.4:

[by request] Fixed a bug where authenticated user information was not being extracted correctly from Squid logs.
[by request] Fixed a bug which could cause crashes when analyzing certain types of logs (those parsed with the log_file_format_regular_expression option), especially on Solaris.
[by request] Fixed a bug where if pie charts were turned on for the entry/exit page views, Sawmill could crash while generating those views.
[by request] Fixed a bug where %Z fields in Blue Coat Custom logs were not parsed correctly.
[by request] Fixed a bug where if you used a double-quote (") in the Matches field of the log field editor, it would generate an error.
[by request] Fixed a bug where on some Solaris platforms, Sawmill would terminate periodically with an "alarm clock" message on the terminal.
[by request] Fixed a bug where "--==LogAnalysis-Boundary-Alternative" would appear at the bottom of some emailed views.
[by request] Fixed a bug which could cause a crash when duplicating a Scheduled Task.

New features in 6.4.4:

[by request] Added support for a "localtime" token in W3C logs.

Version 6.4.3, shipped March 23, 2003

Bugs fixed in version 6.4.3:

[by request] Fixed a bug where the "Sawmill" logo was tiny in the header of CGI mode administrative pages.
[by request] Fixed a bug where if a item in a table contained a plus (+), clicking it would generate an error message.
[by request] Fixed a bug where long operations could fail with "Can't rename file" errors.
[by request] Added support for "timestamp" fields in W3C logs.
[by request] Fixed a bug where if there were multiple log sources, Sawmill could get confused while updating the database, and could re-add some data that it had already added.
[by request] Fixed a bug where if a field value contained a quote, command-line filtering would fail.
[by request] Fixed a bug where the Scheduler cached the names of configuration files, so deleted configuration files would still be used by the Scheduler, and newly-created ones would not.
[by request] Fixed a bug where if the last character on a white-space-separated log line was a quote, Sawmill would include that quote in the value of the final field.
[by request] Fixed a bug where tasks disappeared from the Tasks list after 10 minutes, even if they were still running.
[by request] Fixed a bug where exported data had semicolons as thousand dividers.
[by request] Fixed a bug where Sawmill could crash when displaying a view with no subviews.
[by request] Fixed a bug where clicking "remove" on a particular filter in the Filter Editor would not remove that filter.
[by request] Fixed bug where the "Top days" view was not created by default.
[by request] Fixed a bug which could cause a crash on database rebuild, if there was a page log field but no page database field.

New features in 6.4.3:

[by request] Fixed a bug where 95th percent calculations were randomly incorrect (and often showed 0).
[by request] Improved Sawmill's compatibility with the Safari beta browser.
[by request] Fixed a bug where command-line CSV exports used "Meg", "Gig", etc. format for bandwidth, instead of integer byte counts.
[by request] Fixed a bug in the Cisco PIX/IOS plugin which could cause source IPs to be extracted incorrectly in some cases, from Teardown Local lines.
[by request] Fixed a bug where the authentication command line didn't work on Unix-- it ignored lines past the first one.
[by request] Fixed a rare bug which could cause crashes when sending views by email, when viewing statistics, when generating HTML files, and in other situations.
[by request] Added detection of Wget as a web browser type (it was already detected as a spider).
[by request] Added information to bug reports showing which mode (CGI or Web Server) Sawmill is running in.
[by request] Improved the "Hints" Option so it controls whether the paragraphs in the Overview are displayed.
[by request] Added CONTENT_LANGUAGE and CONTENT_TYPE_CHARSET variables to the language module, which are used in the HTTP headers to set the charset and Content-language. These are needed when generating statistics in some languages.
[by request] Improved WU-FTP log format to handle a slight variant.
[by request] Added sub_view_header and sub_view_footer options that can be used to add custom HTML above and below each subview.

Version 6.4.2, shipped February 15, 2003

Bugs fixed in version 6.4.2:

[by request] Fixed a bug in the Configuration Editor which could generate invalid HTML, causing problems with some browsers.
[by request] Fixed a bug where on some operating systems (including BSD/OS), database updates would fail with the error message "Can't rename {config}__old/ to {config}".
[by request] Worked around a bug which could cause a "Can't rename ...Result-old to ...Result" error on Windows, especially during long builds.
Fixed a bug where Sawmill could crash if there was no data after session filters were applied.
[by request] Fixed bug where the progress description was incorrect for Scan and Summarize progress pages.
[by request] Fixed a bug where the TempLogs folder (where Sawmill stores log data temporarily when processing compressed logs from an FTP or HTTP server) was not cleaned out properly when an error occurred.
[by request] Fixed a bug where if there were custom numerical filters on a field, Sawmill could crash in several situations, including while generating HTML files.
[by request] Fixed a bug where clicking "update" in the statistics, and then clicking something else, would sometimes re-update, doubling the data in the database on the second update.
[by request] Fixed memory management during CSV export, so it doesn't use arbitrary amounts of memory.
[by request] Fixed a bug where if DNS lookup was enabled, and a series of IP addresses were very slow to resolve, Sawmill could get in a loop where it stopped processing log data and consumed all available memory.
[by request] Fixed a bug where %A was not processed properly in Blue Coat Custom Log Format, causing some log entries to be ignore.
[by request] Fixed a bug where the "paths through the site" view showed variable names like {VISITORS_THEN_EXITED} instead of proper descriptions.
[by request] Fixed a bug in PIX/IOS parsing where bandwidth information was not tracked in some cases.
[by request] Fixed bug where month formatting was off in the Calender in some cases, when the first day of the week was not Sunday.
[by request] Fixed a bug where if you created a View or Subview filter, and then rebuilt the database with different parameters, the item numbers in the database would no longer match up with the item numbers in filter you created, causing the filter to change, or even causing a crash. Filters are now always saved using symbols, rather than numbers, so that rebuilding will not cause this problem.

New features in 6.4.2:

[by request] Added support for 24-hour d/m/yyyy in Windows Event Log Format.
[by request] Improved statistics footer so it doesn't show the "Log Out" item if the configuration does not require a password to log in.
[by request] Improved screen info tracking, so the /loganalysis_screen_info.gif file is converted to (screen info) in the statistics. This serves two purposes: 1) it omits it by default from the "top pages" view, and 2) it causes it to be counted as a page view, so screen information is available in configurations where only page views are tracked.
[by request] Added tracking of the "server IP" field in IIS W3C log format.
[by request] Improved the default order of the views for web server log analysis, to "Top pages/directories" follows immediately after "Top pages" and "Top search terms" follows "Top search phrases".
[by request] Improved language module loading so if the specified language doesn't have files of the appropriate language and version, Sawmill will scan the Languages folder looking for ANY modules of the correct language, regardless of version, and will use them if it finds them. This makes it possible to install, say, a German module once, and have that work forever even if you install newer English versions on top of it.

Version 6.4.1, shipped February 01, 2003

Bugs fixed in version 6.4.1:

[by request] Fixed a bug where Sawmill would crash on exit on MacOS X, in some cases.
[by request] Fixed a bug where CGI mode did not work at all on Windows.
[by request] Fixed a bug where cookies were not being sent properly in some cases, making it impossible to stay logged in.
Fixed a bug where very large form submissions could causes crashes.

New features in 6.4.1:

[by request] Improved date/time range display so if you choose a date/time range, and there are gaps in that range in the data, Sawmill displays the range in the Filter bar, rather than all the little ranges you get after the gaps are removed.

Version 6.4.0, shipped January 17, 2003

Bugs fixed in version 6.4.0:

[by request] Disabled numerical and alphabetical sorts for views where it didn't make sense.
[by request] Fixed a bug where database updates would fail if 1) they were safe updates, and 2) the configuration name contained a space.
[by request] Fixed a bug where safes updates would fail on Windows because it couldn't delete the "writeLock" file.
Fixed a bug where the date/time range controls would appear in static pages.
[by request] Fixed a bug where some of the log format plug-ins were corrupt, causing errors when autodetecting log formats.
[by request] Fixed a bug that could cause floating point exceptions during command line database builds.
[by request] Fixed bug where Sawmill was not communicating correctly with some FTP servers, including UNIX servers, resulting in hung FTP transfers.
[by request] Improved behavior when no log format is selected; Sawmill redisplays the "choose log format" screen with a red prompt now, rather than showing an error screen.
[by request] Fixed a bug where exported session tables sometimes contained
.
[by request] Added "total session page views" and "average page views per session" to the Sessions Summary view.
[by request] Improved support for iMail log format, so it picks up more information, and reports more accurately.
[by request] Improved Squid log format to accept resolved hostnames as well as IPs.
[by request] Fixed a bug where updating a database using "safe update" could cause an error on Windows.
[by request] Fixed a bug where file types were not detected properly if there were URL parameters.
[by request] Fixed a bug where if the "page" field was not deep enough, session information would be incorrect. This was not usually a problem because the page field is usually very deep (9 levels).
[by request] Fixed incompatibility with OmniWeb which would result in empty pages when forms were submitted.
[by request] Fixed a bug where the "visitors" column did not use thousands separators in its numbers.
[by request] Fixed the "Kill Server" button, which stopped working around 6.4b2.
[by request] Added support for Eurodate SYSLOG
[by request] Fixed a bug where CSV export would fail if the configuration name contained a space.
Fixed a bug where if you used a Syslog and Generic log format plug-in, and clicked the "visitors" checkbox, Sawmill would generate an error.
[by request] Fixed a bug where Sawmill could crash while processing certain types of log formats, including iMail logs.
[by request] Fixed a bug where Sawmill could crash under certain circumstances, in particular when you click "Make Data Available" when running Sawmill on Windows. In theory, this could cause crashes on any platform, under various circumstances, but it was especially noticeable (and reproducible) on Windows.
[by request] Fixed a bug where the syslog format menu would not appear if there were multiple possible formats, and the first one was a generic format.
[by request] Fixed a bug where the bookmark URL would sometimes get mangled.
[by request] Fixed WebServerAccessLog logging so it reports the IP address correctly (as it did in 6.3.x).
[by request] Fixed a bug where if there were two formats detected, and one of them was a "Generic" format, Sawmill would (correctly) throw the Generic out of the matching list, but would still prompt for a choice with a list containing just one item. It now assumes you want the only one available.
[by request] Fixed a bug where Sawmill and IE were using different timeouts, causing clicks to result in broken pages if the click was between 10 and 35 seconds after the previous click.
[by request] Corrected date format for Centrinity First Class
[by request] Fixed problem with bandwidth support with syslog required log formats
[by request] Fixed a bug where pattern filters containing curly brackets did not look right in the Filters bar and the Filter Editor.
[by request] Fixed a bug where if pattern filters contained curly brackets, they would not bookmark or link correctly.
[by request] Fixed a bug where if the database was auto-updated-on-view, and safe updates were on (the default), Sawmill would fail to update, and would give an error about not being able to copy some directory to itself.
[by request] Fixed a bug where the "Don't autodetect log format" checkbox wasn't working properly.
[by request] Fixed a bug where #Fields: lines in W3C logs with tabs after the colon were not handled correctly.
[by request] Fixed a bug where if a format matched a single non-syslog-required plugin and also a syslog, Sawmill would use them both. Now it uses only the non-syslog-required plug-in.
[by request] Improved error reporting in the case that a syslog-require plugin matched but no syslog did.
[by request] Fixed a bug where Sawmill did not handle format= lines correctly when field names were surrounded by quotes.
[by request] Fixed bug where "show logo in docs header" wasn't working.
[by request] Fixed bug where full URLs (like bookmark URLs) were computed incorrectly in some cases in web server mode.
[by request] Fixed hostname problem in NetCacheNetApp log format
Fixed a bug in session median computation where the wrong two data points were being averaged in the even-number-of-sessions case.
[by request] Fixed a bug where editing preferences (and certain other operations) could cause an internal error.

New features in 6.4.0:

[by request] NOTE: These are *all* features added since 6.3.16; i.e. they are all the new 6.4 features. Many of these features have been listed in previous 6.4 "beta" and "stabilizing" releases.
[by request] Extended support of OpenwaveIntermail Server Logs to capture bandwidth information
[by request] Extended support of Postfix Mail Server Logs
[by request] Changed language module version numbers to match Sawmill version numbers. For instance, where the language module version for Sawmill 6.3.10 used to be v88, it is now v6.3.10. This makes it easier to find the language module for a particular version, and eliminates certain types of uncommon errors where a pre-release version would not be able to find recent language module variables.
[by request] Added support for War FTP logs
[by request] Added date range filtering-- the current shown date range now appears at the top of the statistics, in the Filters bar, and you can choose the starting and ending year/month/day to zoom in on a particular date range.
[by request] Added a "safe update" feature (on by default) which backs up the database before updating it. This all but eliminates the possibility of an update corrupting the database on an error, but it requires twice the disk space and some additional time for an update.
[by request] Added an "If A, then do B followed by C" filter type.
[by request] Optimized database updating in the case where the is no new data in the log source. Previous versions would re-consolidate the database and re-write the index, even though there was no change. This version skips that step, resulting in a much faster update in this situation.
[by request] Added support for Apache Combined with Server Name after Agent
[by request] Added support for Cisco IOS (Unix syslogd) as well as created language variable IOS_PARSING_FILTERS logs
[by request] Added support for Cisco CE Common logs
[by request] Changed sort order to list directories first in the Browse... window.
[by request] Added support for Cisco PIX SL4NT logs
[by request] Added a new "paths through a page" view, which shows all paths through a particular page by showing the immediate predecessors and successors in the clickstream.
[by request] Added support for a LOGANALYSISINFODIR environment variable which, when set, determines the location and name of the LogAnalysisInfo folder.
[by request] Added a number_thousands_separator option, which is a comma (,) by default, and which is used to separate thousands in large numbers.
[by request] Extended support for SonicWallKiwi logs
[by request] Extended support for Netegrity Siteminder logs
[by request] Added support for OpenwaveIntermail logs
[by request] Extended support in CiscoIOS log format to support AUDIT_TRAIL information
[by request] Added support for SonicWallKiwi (yyyy-mm-dd) log format
[by request] Added support for Firebox log format
[by request] Added support for Sambar Server log format
[by request] Added support for Cisco IDS IOS log format
[by request] Added support for Net-Acct log format
[by request] Added support for PostOfficeMailServer log format
[by request] Added support for IISFTP log format
[by request] Added a new option to make graph bars non-clickable (by default, they are clickable). This is useful in cases where there are so many bars that the overheard of making them clickable bogs down the network, Sawmill server, and/or browser.
[by request] Added support for Sidewinder log format
[by request] Added support for InterscanEmailViruswall log format
[by request] Extended support of TinyPersonalFirewall to include a new variety of log
[by request] Added support for TomcatAlt log format, also Greg modified Sawmill so that it can collect and carryover
[by request] Added support for SquidGuard log
[by request] Added an accept_collected_entry_regexp_carryover filter, which works like accept_collected_entry_regexp except that it carries the collected values over rather than resetting them. So a single field value can be collected early on, and later acceptances will all use that value, even if it does not appear again.
[by request] Added support for MailerDaemon log
[by request] Improved Performance for Cisco PIX KIWI ISO
[by request] Added support for Cisco PIX KIWI ISO.
[by request] Added support for Whistle Blower Performance Metrics Log.
[by request] Added support for Netscape Directory Server log format.
[by request] Added "numerical ascending" and "numerical descending" table sorts.
[by request] Improved W3C formats to support x-datestamp fields.
[by request] Added support for MailMax SE POP log format.
[by request] Added support for NetCache NetApp log format.
[by request] Added support for MailMax SE SMTP log format.
[by request] Added support for Atom Mesge log format.
[by request] Added support for RealProxy log format.
[by request] Added support for ColdFusion Web Server log format.
[by request] Added support for ColdFusion Application log format.
[by request] Added support for Microsoft SQL Profiler log format.
[by request] Added support for "m/d/yy h:mm" date/times.
[by request] Added support for files (like CSV files) which can have line breaks in the middle of a field, as long as the field is quoted.
[by request] Added support for WhistleBlower log format.
[by request] Added support for Windows Event log format.
[by request] Added support for FedEx tracking log format.
[by request] Added support for FastHosts log format.
[by request] Improved Postfix log format to handle some different types of log entries.
[by request] Added support for Network syslog format.
[by request] Added support for Merak SMTP Log Format.
[by request] Added support for Merak IMAP/POP3 Log Format.
[by request] Improved IPTables format to handle a slight variant.
[by request] Added support for WebShield SMTP log format.
[by request] Added support for Webtrends Extended log format.
[by request] Added support for Zyxel/Kiwi log format.
[by request] Improved session IDs so they contain the visitor id, for easier identification of the source of the session.
[by request] Added a new type of session filter, which lets you zoom in on particular session using its ID.
[by request] Improved the Sessions view (now called "Individual Session(s)" so the session IDs are clickable, and apply a session filter to show only that session.
[by request] Improved the Sessions view (now called "Individual Session(s)" to show a click-by-click listing of the session, if there is only one session selected.
[by request] Added support for Cisco VPN Concentrator (Comma-separated) log format.
[by request] Improved iMail log format to track local domains and "ldeliver" messages.
[by request] Added support for Hosting.com log format.
[by request] Added support for Cisco PIX (NT Syslog, With Hostname) log format.
[by request] Added support for NetScreen log format.
[by request] Added suppo