Sawmill
Download Sawmill 8.7.3
30 Days Free Trial
Home Products Downloads Purchase Support About About
Sawmill Sawmill

SAWMILL 7 VERSION HISTORY

ALL PLUG-INS

Sawmill has plug-ins to support the following log formats:

line

This is the version history for Sawmill 7. The Sawmill 8 version history is here and the Sawmill 6 version history is here.

Version 7.2.19, shipped December 11, 2010

Bugs fixed in version 7.2.19:

  • [766459] Different IP addresses in the "host" field are considered equal, if they contain an 0 octet, and another octet differs by exactly 32
  • [793793] After building a profile with multiple processors, the "info" file in the database sometimes does not contain the final list of files processed.
  • [795352] If a report is manually filtered with a date range outside of the log data range, if shows data as though there were no filter.
  • [810450] FTP log sources send the password incorrectly during the Create Profile wizard, if it contains a #.
  • [919868] Database builds started from the web UI, in CGI mode, using multiple threads, hang.
  • [939758] During a multiprocessor update, the database hierarchies can lose information, resulting in days which no longer appear in the Days report.

Version 7.2.18, shipped January 5, 2010

Bugs fixed in version 7.2.18:

  • [625849] A cross-scripting vulnerability exists where a user can cause arbitrary JavaScript to be executed on a web browser by creating a carefully crafted URL to a Sawmill installation, and convincing the user to click it.
  • [647896] When using a MYSQL database, if the seendata file is manually removed, the next database update will crash.
  • [682714] Multiprocessor updates of the internal database crash, in some cases.

Version 7.2.17, shipped May 26, 2009

Bugs fixed in version 7.2.17:

  • [528193] If a regular expression filter matches nothing, and it is filtered on a different field from the main report columns, it will show an unfiltered report.
  • [552878] Report labels are not set properly in custom Session User or Session Page reports, in custom plug-ins--they are set to the internal name of the report, rather than the specified label.
  • [563220] Database updates do not skip previously-seen data in files > 4GB, on 32-bit operating systems.

Version 7.2.16, shipped January 28, 2009

Bugs fixed in version 7.2.16:

  • Fixed JBoss Application Server format to handle brackets in the class field properly.
  • Fixed a bug which would cause an error when using single quotes in Salang expressions in command line arguments.
  • Fixed a performance issue with ISA W3C format, which could cause very slow processing (changed hash algorithm to rand_sum for filterinfo).
  • Fixed/improved autodetection of Aruba Wireless LAN Switch format, to handle DBUG lines, and leading KERNEL lines.
  • Fixed two small problem with Netegrity SiteMinder Access log autodetection and reporting, which could result in failed autodetection, and an error message when displaying the Server Domains and Single-page Summary.
  • Fixed a bug in the Kerio Mail Server plug-in where non-matching lines caused an error because v.remainder was not set. This bug would most likely have been seen if the log source was a directory containing logs in different formats.
  • Fixed a bug where apostrophes in email addresses could cause parsing issues with Microsoft Exchange 2000 W3C log files, resulting in truncated email addresses in reports.
  • Fixed a bug where the date offset option was applied repeatedly to carried-over collected log entries, potentially resulting in progressively greater offsets as log processing progressed, for certain formats (specifically, Microsoft IIS SMTP W3C format).
  • Fixed a bug where the MySQL socket entered in the Create Profile Wizard was not saved to the profile, and had to be re-entered before the database could be built.
  • Fixed a bug where MySQL profiles would show all 0 durations in session reports, if "maximum session duration" was set to 0.
  • Fixed a bug where Sawmill would report itself as 64-bit Windows when a bug report was submitted, when it was really 32-bit Windows, and vice versa.
  • Fixed a bug where database updates with a MySQL database could result in a database corruption which caused the Days report to show extra rows.
  • Fixed a bug which would cause an error ("Error renaming expired_main_table to main_table") when removing database data, if the removal resulted in no entries remaining in the database.
  • Fixed bug in the "NetScreen Log Format" plug-in where the message field was set to "(omitted)" if the line didn't match any of the expected patterns. Only messages with key value pairs where all of the values are in reports are correctly set to "(omitted)".
  • Fixed a bug with removing data from MySQL databases, where the itemnum table would still refer to the old data, resulting in phantom entries in the Calendar and other date controls.
  • Fixed a bug which could cause very high memory usage when processing a dataset with a very large number of log sources (e.g., thousands of log sources), containing corrupt files.
  • Fixed a bug which could cause an "empty node" error when processing SonicWall logs,if certain types of corrupt log entries were present.
  • Fixed bug in the "Aladdin eSafe Sessions Log Format v5/v6" plug-in where in version 5.2, the Profile field was omitted causing the Details to be placed in the Extended Results field and the Extended Result value to be lost.
  • Fixed a bug which could cause a crash when processing log data which used name/value pairs (listed fields), where the last field on a line was quoted.
  • Fixed a bug which could cause numbers to be truncated in log filters, when converting large integers from string to float representation.
  • Fixed an incompatibility of the encrypted source code, which resulted in an error about memmove() when building Sawmill from source on Fedora Core 9.
  • Fixed a bug where a parsing error during a multiprocessor build or update was not reported properly, causing the build/update to continue forever.
  • Fixed two bugs in the "JBoss Application Server Log Format" format that broke the Java exception stack trace report.
  • Fixed a bug where the order of multiple actions, in if/then/else conditions in Log Filters, would get randomly scrambled in the web interface, if there were more than ten of them.
  • Fixed a bug in Tipping Point IPS which prevented the "traffic capture available" and "slot and segment" fields from being extracted properly.
  • Fixed bug which would cause a database build to abort with an error, if the -v f option was used, and a log field value contained a $.

New features in 7.2.16:

  • Added autodetection of binary Firewall-1 format (to report that Sawmill can't parse it without conversion).
  • Fixed bug in Salang utility subroutine parse_w3c_fields where database field creation did not happen for fields of type host and page. This subroutine is used where the W3C field header for a format is not consistent with the fields in the log, so it did not effect most W3C plug-ins. The bug was specifically causing the Novell Border Manger log format plug-in to lack reports for Client IP and URL.
  • Enhanced Blue Coat W3C plug-in to recognize SGOS 5 logs, and to report the supplier ID field.
  • Enhanced Kerio Mailserver log format to support version 6.5 logs, and to track each type of status (delivered, delayed, etc.) with a separate numerical field, and to support the spam and security logs.
  • Enhanced Communigate Pro format to track IMAP logins.
  • Enhanced IMail support to report delivery errors, and to report messages delivered/relayed separately.
  • Added support for Astaro Security Gateway log format.
  • Added support for WebSTAR Proxy log format.
  • Added support for SmarterMail log format.
  • Added support for Trend Micro Interscan VirusWall 6 log format.
  • Added support for Array Networks Array SPX log format.
  • Added support for Cell Technology IPS log format.
  • Added support for DeepMail IMAP/POP3/SMTP Server log format.
  • Added support for tinyproxy log format.
  • Enhanced Symantec Mail Security support, to handle a different type of log file (different version of SMS).
  • Added support for analyzing Microsoft Internet Information Services (IIS) web server logs, logged to a syslog server.
  • Added support for another date specification for the Apache Custom log format.
  • Modified the Apache Custom plug-in to treat the uri_stem field the same way it treats the page field. Only one of these two fields should exist in the same report. (uri_stem is from %U in the customization string.)
  • Added support for Radware DefensePro log format.
  • Enhanced support for IronPort C-Series logs, to track aborted messages better, by including separate events, and a separate numerical field ("message deliveries aborted"), reporting intended recipients who did not receive their messages due to the filtering.
  • Added tracking of number-of-recipients in Microsoft Exchange 2007 log data (CSV).
  • Added support for Atlassian JIRA log format.
  • Improved support for "Windows Event Log Format (dumpevt.exe export)", to support Directory Services logs, and variable time formats.
  • Modified the "Anti-Spam SMTP Proxy (ASSP) Log Format" plug-in to support for log format variation with neither queue IDs nor "is disconnected" messages. In this variant, the only way to tell an event has ended is if the sender changes. As with other variants with no queue IDs, it is assumed that events are logged sequentially and are not interleaved.
  • Added support for Watchguard Firebox X Core e-Series Log Format.
  • Modified the Kiwi Syslog Daemon plug-in "Kiwi (mm-dd-yyyy dates)" to support a date/time variation with single digit month/day, / instead of -, space instead of tab between date and time, and no seconds on the time.
  • Added a new profile option, log.processing.output.field_delimiter (-fd), which controls the delimiter between fields, in the output generated by the "process logs" action.
  • Added a new profile option, log.processing.output.suppress_output_header (-soh), which suppresses the header (list of fields, on the first line), in the output generated by the "process logs" action.
  • Added a new profile option, log.processing.output.output_date_time_format, which controls the format of timestamps in the output generated by the "process logs" action.
  • Enhanced Ironport C-Series support to handle Delayed HAT REJECT sessions, so when that option is turned on in the C-Series, Sawmill will report early rejections by recipient domain (and sender domain).
  • Enhanced Ironport C-Series plug-in to track all actions types, and to report them with a pie chart in the Actions report.
  • Enhanced ISA W3C log format parsing to handle W3C logs with variant headers (tab-separated with spaces in field names).
  • Enhanced Ironport C-Series log format to report quarantined messages better.
  • Enhanced Secure Computing Sidewinder Firewall format to collect fac, area, type, and pri fields, and to support lines without extra data info/syslog.
  • Added support for RaidenMAIL log format.
  • Added support for eSafe version 6.1 to the "Aladdin eSafe Sessions Log Format v5" plug-in. The name has been changed to reflect v6 support.
  • Enhanced Ironport C Series support to report two new numerical fields: "messages spam positive" and "messages virus positive."
  • Added support for a variant of Citrix Netscaler (with event number before the message).
  • Added support Adobe branded Flash logs, and improved session display slightly.
  • Enhanced Firewall-1 (fw logexport export) Log Format to report geographic, ISP, organization, and domain information.
  • Added support for a new variant of Fortigate 60B log format.
  • Added support for geographic fields in Firewall-1 NG (text export) Log Format.
  • Added support for F5 Load Balancer format.
  • Added support for CCProxy version 6.61 to the plug-in for "Youngzsoft CCProxy Log Format".
  • Added support for a new variant of Microsoft Port Reporter log format.
  • Enhanced Ironport C-Series log format support to support a slight variant in the SBRS logging.
  • Enhanced support for Nmap to handle a newer format (4.76), including a different header line, optional hostname field, and optional MAC field.
  • Enhanced sessions tracking in Wowza Meda Server log format, to report sessions even when x_stream_id is not present in the logs.

Version 7.2.15, shipped May 16, 2008

Bugs fixed in version 7.2.15:

  • Fixed bug in the Helix Universal Server (Style 5) Log Format where the File Time field was being treated as milliseconds while the Sent Time field was being treated as seconds. According to documentation at real.com, both fields contain times expressed in seconds.
  • Fixed a bug which could cause a crash (which would appear in the Sawmill GUI as a hang) when autodetecting data on an FTP or HTTP server.
  • Fixed memory leak which could occur in various circumstances; the specific known circumstance occurred when building a database from a profile with more than 1500 log sources, which caused more than 1GB of memory to be used.
  • Fixed a bug where the number of visitors could be overstated by 1 in Microsoft Media Server log format.
  • Fixed a bug in the Critical Path POP3/IMAP plug-in which could cause an error when creating a profile.
  • Fixed a bug where the "day of year" and "week of year" fields split the day at 23:00, instead of 0:00, on days under daylight savings time.
  • Fixed a bug subtable Table options were not saved and restored properly, when editing a "table with subtable" report in the report editor.
  • Fixed a bug in RACF Security log format, which prevented it from importing the final record in a file.
  • Fixed a bug in RACF Security log format, which prevented it from importing lines where the username contained no spaces.
  • Fixed a bug IronPort C-Series parsing, where SBRS rejects were not reported.
  • Fix incorrect reporting of sessions in the Flash Media Server plug-in by only creating session events when x-event eq disconnect and x-category eq session.
  • Fixed bug in Sidewinder analysis (logged to firewall) which caused incorrect dates when there was a date= field listed.
  • Fixed a bug where certain filters (especially, ORs of "within" filters) could cause main table scans, when they could have been handled by xrefs. This made some filtered reports slower than they should have been.

New features in 7.2.15:

  • Enhanced Sawmill.app (on Mac) to detect when there is a running installation of Sawmill already, and give an appropriate error message (rather than hanging while it waits to bind to the port).
  • Deprecated the "maximum CPU usage percent" option. The option never worked very well, and has done absolutely nothing since Sawmill 7.0.0, so it serves no purpose. Instead, use operating system priorites to minimize the impact of Sawmill's CPU usage on other processes.
  • Added support for CP Secure Content Security Gateway log format.
  • Added support for a new version/variant of Aruba Wireless Switch.
  • Added tracking of "Context" lines in Citrix Netscaler log format.
  • Added support for Unix Auth log format.
  • Added support for Unix Cron daemon log format.
  • Added tracking of VOF quarantine lines in IronPort C-Series logs.
  • Added reporting of Amavis information in Postfix logs.
  • In the Kiwi YYYYMMDD Comma Syslog plug-in, added stripping of double quotes from around the syslog message since these can break autodetection. If the message is quoted, the plug-in also now changes doubled double quotes back to single double quotes. Doubling is the way Kiwi escapes them.
  • Added support for a new FortiGate 100 Firewall format with additional fields to the FortiGate Comma Separated Log Format plug-in.
  • Added support for Symantec Gateway Security Log Format (via syslog).
  • Added alias domain reporting to Microsoft Exchange 2000 log format.
  • Added support for automatic charset conversion of search engines which do not use UTF-8 in their search URLs (specifically, Yandex).
  • Added reporting of MailScanner lines in Postfix log data.
  • Added a new plug-in to support the SNARE Epilog Collected Oracle Listener log format. The plug-in was contributed by a Sawmill user.
  • Expanded the plug-in for the Nortel Meridian 1 Automatic Call Distribution (ACD) log format to include some additional fields from the logs and an additional graph in the Date/Time reports.
  • Added session analysis to the Flash Media Server plug-in for the purpose of reporting the Maximum Concurrent Connections.
  • Added support for the Users field and a Unique Users numeric field to the Proxy Plus log format plug-in.
  • Added support for Tipping Point SMS Log Format.
  • Added reporting for ARP request and ARP reply lines in Cisco VPN Concentrator.
  • Added support for AspEmail (Active Server Pages Component for Email) log format.
  • Fixed a problem with Cisco VPN Concentrator log format, which caused certain "disconnected" lines to be ignored.
  • Added support for tracking/reporting of the usr field in SonicWall format.
  • Changed label for the Barracuda Spyware Firewall Log Format plug-in to Barracuda Spyware Firewall / Web Filter Log Format to reflect new product name. Added support for standalone (no syslog header) format. Added support for lines where the action is "sniff" instead of "httpscan". Added Action report.
  • Made extensive changes to the Anti-Spam SMTP Proxy (ASSP) log format plug-in. Messages, which are described on multiple lines of the log, are now captured in one database entry so reports are more clear and counts are more accurate. These changes apply to log formats for 1.3.3.1, 1.3.3.8 (and in between, presumably, though they have not been tested). Reports for earlier versions of ASSP that have a different log structure are not changed.
  • Enhanced the JBoss application server plug-in to support a slightly variant.

Version 7.2.14, shipped March 26, 2008

Bugs fixed in version 7.2.14:

  • Fixed a bug in the IceCast Log Format plug-in where the User Agent field was not being set causing the fields that are derived from it, such as Web Browser, to be empty.
  • Fixed a date/time parsing bug in Barracuda Spam Firewall, where some lines were reverting to the syslog collected date/time instead of the Barracuda's date/time.
  • Fixed a bug in the FirePass SSL VPN Log Format caused by an incorrect variable name. The bug would only have been seen if lang_stats.cfg did not have the firepass_ssl_vpn status code mapping section.
  • Fixed a memory leak which could cause very high memory usage when building a MySQL-based database from a database with many unique values in one or more fields.
  • Fixed a bug in the Unix Syslog With Year plug-in where the syslog message was being lost.
  • Fixed a bug which could cause an error in various circumstances (but usually when building a database) on 64-bit Windows, when one of the mapped files in the internal database exceeded 2GB. This is rare, but can happen to the indices if the "main table segment size" option is set to a very high value.
  • Fixed a bug in the parsing regular expression where the report of multiple Stats or square brackets in the client_info field would cause the entry to be rejected.

New features in 7.2.14:

  • Changed the IceCast Log Format plug-in to get the duration in seconds from the duration field instead of calculating the duration from the size and an assumed speed. Apparently the duration field was not available at the time the plug-in was first created so a workaround was used.
  • Enhanced Ironport C-Series plug-in to extract more information about antivirus scanning.
  • Added support for charset conversion on 64-bit Windows.
  • Enhanced Tipping Point IPS log format to handle log lines generated by the 2.4.3 firmware revision.
  • Added support for OpenVPN log format.
  • Added support for CRYPTO lines in Cisco PIX/IOS/etc. format.
  • Added a new "Save To Menu" button to the Reports page, to save a filtered report directly to the reports menu.
  • Added support for a format variation with a date as well as a time to the Windows 2003 DNS Log Format plug-in and increased the flexibility of the autodetect regular expression.
  • Added support for Tipping Point 2.5.3 log format.
  • Improved performance of hierarchy builds for MySQL databases. With this change, the time to build the hierarchies for a specific database with 16 million unique IPs dropped from 2:15 hours to 0:40 hours.
  • Added a new profile option, "Use Overview For Totals." This option controls a recent new feature, which computes the Total rows of report using an Overview report. In recent versions (since 7.2.10), this option has always been turned on; with this version, it is optional, and disabled by default. Turning this option on gives correct totals of "unique" and calculated columns in tables, and correct percentages for unique rows, if they are shown, but can severely hurt performance for some very complex reports, when the "remove parenthesize items" option is turned off for the report. Even under normal circumstances, this option makes two times slower. So as of this version, this option is off by default, and the Totals row is computed by summing the table by default. When this option is off, unique columns will show a dash in the totals row and calculated columns will show a zero.

Version 7.2.13, shipped February 21, 2008

Bugs fixed in version 7.2.13:

  • Fixed a bug which could prevent scheduled tasks from running.
  • Restructured the plug-in for the NetScreen Log Format in order to improve performance and fix a bug where a variable that was set if the log line matched the supported format was being accessed whether it matched or not. Also improved performance by omitting the message field where the message consists of key/value pairs that are extracted into other fields.

New features in 7.2.13:

  • Enhanced "LogSat SpamFilterISP Log Format B500.9" to support a slight variant.
  • Renamed the field/report message_id to queue_id in the Postfix Log Format plug-in and added a report for actual field actually called message-id in the logs. Improved the efficiency of mapping from the spamd mid field the the postfix message-id field. (There was existing limited support in this plug-in for reporting on spamd along with Postfix where they are logged to the same syslog.)

Version 7.2.12, shipped February 15, 2008

Bugs fixed in version 7.2.12:

  • Fixed two bugs in the bytes and stream bytes calculations in the Flash Media Server Log Format plug-in where typos caused an error in the results and caused an error message if the log didn't have the c-client-id field.
  • Fixed a bug in NetCache NetApp 5.5 format, where date/time values would not be parsed correctly for MySQL databases.
  • Fixed a bug which could cause a checksum error when accessing the web interface, if there were unknown CFV files in the templates folder. This could happen when upgrading from an earlier version of Sawmill.
  • Fixed a bug with Apache Combined which would show all 0's if hits was not selected.
  • Fixed a bug with Ironport (mail) format, where multi-RID messages would be reported as a list of RIDs, instead of being reported as each indiviual RID.
  • Fixed parsing problem in cases where parse_only_with_filters was false, but parsing filters use accept/collect.
  • Fixed bug where backslashes in wildcard expressions were treated as escapes, instead of being treated as literal backslashes.
  • Fixed a bug in Cisco NetFlow (flow-export) format, where the total rows were incorrect for some fields, on some platforms.
  • Improved the efficiency of connection tracking for the Maximum Concurrent Connections report in the Cisco Wide Area Application Services (WAAS) TCP Proxy Log Format plug-in because it was causing performance problems during the database build.

New features in 7.2.12:

  • Added a mime_types.cfg file in LogAnalysisInfo/miscellaneous, which lists the filename extensions and corresponding MIME types recognized by the built-in web server (previously, this was hard-coded and uncustomizable).
  • Improved the efficiency of tracking bytes and stream bytes totals in the Flash Media Server Log Format plug-in because the current method caused performance problems during database build. The old method used nodes and the new method uses set_collected_field where collected entries expire if they are not accepted. The trade off is the small risk of skewing results if there are very long connections. The number of log lines after which to expire the collected entries can be adjusted.
  • Added support for the Mirror Image Flash Media Server Log Format.
  • Added support for Bomgar Box log format.
  • Fixed bug where "-v f" output would generate an error if log filters used replace_first() or replace_last().
  • Added support for FirePass SSL VPN Log Format.
  • Added support for Cisco IPS log format.
  • Enhanced SafeSquid plug-in to handle the new Extended format from 4.2.1+.
  • Added support for Sophos Web Appliance.
  • Added facility/severity/mnemonics fields to Cisco PIX.
  • Added a report for Maximum Concurrent Connections to the Cisco Wide Area Application Services (WAAS) TCP Proxy Log Format. This report is based on keeping track of a count open connections for each device.
  • Added support for McAfee Secure Messaging Gateway (SMG).
  • Added support for non-AM/PM times in Windows NT4 Event Log Format (save as-CSV).
  • Added support for Guardix Log Format (IPFW).
  • Added support for a new variant of IIS SMTP W3C logs.
  • Enhanced Exim 4 log format support to handle a variant.
  • Fixed a bug in Syslog NG (no zone) to remove leading space from syslog message.
  • Greatly improved performance of "NOT" report filters in most cases, when using the internal database. This is particularly important because as of 7.2.11, any report which omits parenthesized items (which is most of them) uses a "not" filter implicitly. This especially affects large databases. In one example, it increased the speed of the "day of week" report from 5 minutes to 12 seconds.
  • Enhanced dumpel log format to show event code categories and descriptions for common event codes.

Version 7.2.11, shipped November 30, 2007

Bugs fixed in version 7.2.11:

  • Fixed a bug where the "omit parenthesized items" option did not work for the session users report.
  • Fixed a bug where log data with repeated $ characters in it could cause a crash, if the "f" option was used for -v for a command-line build.
  • Fixed a bug which could cause an error when rebuilding database hierarchies with "-a rdh".
  • Fixed a bug which could cause the error "Expression not supported by field limits (OR across fields)" when using certain advanced filter expressions in the web reporting interface.
  • Fixed a bug where matches_regular_expression would not set $N variables above $M, if $M was not defined by the expression, e.g. through the use of ()? or ()*.
  • Fixed a bug in the "beta" IronPort plug-in, which could cause very high memory usage during log processing.
  • Fixed a bug which would cause incorrect durations to be reported when the "date offset" option was used with Shoutcast W3C.
  • Fixed bug where DNS lookup would attempt to lookup "..." as though it were an IP address, resulting in DNS errors.
  • Fixed a bug in "create many profiles" which would cause an error like "Couldn't find node 'clone1' in profiles" if the profiles to be created did not already exist.
  • In the Flash Media Server Log Format plug-in, corrected calculations for sc_bytes, sc_stream_bytes and cs_stream_bytes, based on the way cs_bytes was calculated. Because the log keeps a running total of these values, the previous accumulated value must be subtracted from the current value for each event to prevent a huge, incorrect total from being shown in reports. Also restored the fix where the filters that do these calculations use c_ip where c_client_id is not available.
  • Fixed a bug which caused FTP log source error messages in cases where the server split single control response lines into multiple packets (uncommon).
  • Improved the efficiency of the bytes and stream bytes calculations in the Flash Media Server Log Format plug-in because they were hurting the performance of database builds.
  • Made autodetection more restrictive in the Apache/NCSA Combined Format With Cookie Last plug-in in order to prevent other log formats from autodetecting as this one.
  • Fixed bug with flash media server logs which could cause an error during database build, if the stream_duration field was not checked when creating the profile.
  • Fixed bug which would cause an error with Netscape logs when there was no page field logged.
  • Fixed a bug where session reports did not work in a profile without a "page" field, when using a MySQL database.
  • Fixed bug which could cause crashes during long log processing, or during long database updates, involving many files.
  • Fixed a bug where clicking Browse would cause an error if a CSV filename was in the field.

New features in 7.2.11:

  • Enhanced the Barracuda Spyware Firewall plug-in to extra domain, category, and username fields, when availiable.
  • Enhanced Net-Acct to handle a variant.
  • In Syslog NG, added support for dates in the format "2007-08-23T15:02:28+02:00".
  • Added support for Windows Event Log (comma or tab delimited, no am/pm, 24h & ddmmyyyy) Log Format.
  • Enhanced NetCache NetApp support to recognize version 6 logs.
  • Added support for hMailServer log format.
  • Improved Filezilla Server format to support single-digit months and days.
  • Renamed all formats and plug-in files with "beta" in the name because process of identifying stable plug-ins is changing.
  • Enhanced ASSP log format: Added support for 1.3.3.1 logging (almost complete rewrite); added support for old logging style.
  • Enhanced NetCache NetApp 5.5+ format to report streaming log data better.
  • Added support for the Cisco Wide Area Application Services (WAAS) TCP Proxy Log Format.
  • Moved newly added reports for derived fields to the appropriate groups in the report menu for the Apache Custom Log Format.
  • Added an option to display bytes using base-10 (1000-based) units, rather than base-2 (1024-based) units.
  • Added support for a new type of node file, ending with .cfga ("configuration group additions"), which is layered on top of its similarly-named .cfg file, to automatically create a node different from the original CFG file, without requiring editing of the original CFG file.
  • Added auto-expansion of {==} sections in local log source pathnames.
  • Changed the name of the log field error to error_message in order to fix a bug in the Apache Error Log Format plug-in that was introduced by a UI change that causes an error when log fields have the same name as Salang functions.

Version 7.2.10, shipped August 04, 2007

Bugs fixed in version 7.2.10:

  • Fixed a bug in the "beta" plug-in for "Juniper Secure Access SSL VPN Log Format" where user agent information was not being extracted properly.
  • Added support to the Kiwi Syslog (ISO/Sawmill) plug-in for repeated lines if Unix Syslog (only one format variant so far) is logged to Kiwi Syslog.
  • Fixed a bug where database deletion (and profile deletion) would fail on Unix or MacOS systems, if the database directory contained a file starting with a period.
  • Fixed a bug which would cause a crash during log processing, when processing gzip files which were corrupt in certain ways (valid gzip files cause no problems).
  • Fixed a bug where {= =} or $ sections were not handled properly in the output directory option of the Scheduler, while generating HTML reports.
  • Fixed a bug which would cause an error when clicking an individual session in the Individual Sessions report, when using a MySQL database, with any log format where the session visitor ID field is not called "hostname".
  • Fixed a bug which could cause an "empty node error" when processing Symantec AntiVirus Corporate Edition logs, if the encrypted time field was less than 12 characters long.
  • Fixed a bug in the BETA IronPort plug-in, where if the log was not generated through syslog, and contained a timestamp header, all entries would be discarded.
  • Fixed a bug in the BETA IronPort plug-in, where if there was no "log" tag in the data, all entries would be rejected.
  • Fixed bugs in the Watchguard XML Log Format plug-in: Fixed bug in filter add_dstname_arg where wrong field name was used and url was not found. Changed filter to not concatenate dstname and url (arg) if either is empty. Mapped field names rcvd_bytes and sent_bytes to recv and sent since at least one format variation has these instead.
  • Fixed a bug which caused an error when using { or } characters in wildcard expressions.
  • Added BETA support for Visonys Airlock log format.
  • Fixed a bug where database builds could repeat, in CGI mode, building over and over, if Talkback was turned on.
  • Fixed the "beta" Barracuda spam firewall plug-in to track logging devices.
  • Fixed a bug with Sawmill's encoding of MIME emails (HTML reports) which could cause Amavis (and possibly other spam filters) to flag Sawmill's report emails as spam.
  • Fixed a bug where the filters for Remove Database Data were not logged correctly to TaskLog.
  • Fixed a bug which would cause an error ("Unable to delete file seendata") when doing a multiprocessor build, if the dataset was very small (less than the size of thread_data_block_size, which is 1MB by default).
  • Fixed a bug where the session duration did not match the play duration, in Microsoft Media Server analysis, if there was a custom log filter on the cs_uri_stem field.
  • Fixed a bug in Microsoft Media Server plug-in, where session durations would be reported incorrectly if a date offset was specified in the profile.
  • Fixed a bug which caused an error when building a MySQL database, if the profile contained a field called connection_id.
  • Fixed a bug which caused the TaskLog entry from a database build or update to report the bytes processed in the last log source, rather than the full bytes processed.
  • Fixed a bug where profiles would not be removed properly from non-administrative users, if the username contained unusual characters, and command-line authentication was used.
  • Fixed a bug which causes an error "Expression not supported by field limits (OR across fields)" when using complex filters on the Overview.
  • Fixed a bug which could cause duplicate rows in report tables, for very large datasets.
  • Fixed a bug which were command line execution would fail quietly, without doing anything, if there was no valid license installed.
  • Fixed a bug in the beta NetScreen format where a key value pair on a line with no logging category could be placed in the category field.
  • Fixed/enhanced the beta Postfix format to reduce memory usage, and improve performance with large datasets.
  • Fixed bug in the beta IIS SMTP W3C Log Format where some data could carry over from earlier connections for the same Client IP.
  • Fixed a bug in the IronPort Log Format (BETA) where aborted entries were not being accepted.
  • Fixed problems with rekeying and duration tracking in "CT Mod 10 Nortel Contivity Log Format". (Note that there is an improved version of this plug-in called "Nortel Contivity Log Format (BETA)".)
  • Fixed a bug which would cause an error in a report, if you removed the column in the Report Editor which was the "sort by" column.
  • Fixed a bug which could cause errors when exporting CSV reports from the web interface, in CGI mode.
  • Changed name of plug-in "Microsoft ISA WebProxy Log Format (W3C)" to "Microsoft ISA Server Log Format (W3C)" to reflect correct product name (ISA Server replaced ISA Proxy). Fixed bug in and simplified autodetection. Added new possible W3C fields to groups to organize reports menu.
  • In the Quicktime/Darwin Streaming Server Log Format, changed type of x_duration and all fields with pkt in the name (packet fields) to float to handle large values.
  • Fixed a bug where Windows error messages containing "\" would be displayed without the "\", or Windows error messages containing "\t" would be displayed with "__TAB__" in place of "\t".
  • Fixed a bug where the Log Detail showed 12-hour times instead of 24-hour times, when using a MySQL database.
  • Fixed a performance problem where processes waiting to access files locked by other processes would use CPU, instead of waiting quietly.
  • Fixed a bug which could cause crashes during report generation.
  • Fixed a bug which would cause authentication failures on Windows, if the password contained a & character.
  • Fixed a bug where the number of session users was miscounted in Session Overview report, resulting in one fewer one-time users being reported than there actually were, or one fewer repeat users being reported than there actually were.
  • Fixed a bug where values formatted with "duration" format (the long duration format) would end in commas if there were 0 seconds.
  • Fixed a bug in IronPort where log entries would be rejected if the "log file" field contained a space.
  • Fixed a bug where static report could be generated while a database was being updated, resulting in erroneous reports.
  • Fixed a bug with Blue Coat W3C, which caused a bogus report to be created when certain fields were missing, causing an error when creating a new report.

New features in 7.2.10:

  • Added report group for "Security" related reports to menu to beta "SonicWall or 3COM Firewall Log Format".
  • Added beta support for version 2.9.8 to the DansGuardian 2.9 Log Format.
  • Added beta support for Sun ONE Directory Server 5.2. It is greatly enhanced from the Netscape Directory Server Log Format, but should continue to work with Netscape Directory Server 5.1.
  • Enhanced IIS SMTP W3C Log Format: Added support for a new log format variant; Added operation and server_response fields and connect/disconnect counts.
  • Added "BETA" support for the Foundry Networks Log Format. This plug-in is based on the Foundry Networks BigIron plug-in and maintains support for BigIron while adding support for ServerIronXL.
  • Added "BETA" support for the Merak SMTP Log Format. Support is added for a format where the date is taken from the log file name and is not found in the log. Backward compatibility is maintained with the version supported by the existing Merak SMTP plug-in.
  • Enhanced praudit "BETA" plug-in to handle a single digit day in the date and simplified autodetection.
  • Enhanced the "beta" plug-in for "Juniper Secure Access SSL VPN Log Format": Improved session tracking by identifying more events which could be considered the end of a session. This will result in a more accurate "Maximum Concurrent Sessions" number.
  • Enhanced the plug-in for the Aventail Web Access Log Format to allow syslog and to strip layered syslog entries in the case where Unix Syslog logs to Kiwi Syslog. (Non-syslog logs are still supported by selecting "no syslog header" as the syslog type.)
  • Enhanced Watchguard XML plug-in to handle a few new fields.
  • Added support for ichain format.
  • Added support for a slight variant of Cisco VPN Concentrator.
  • Added "beta" support for the ipop3d Mail Daemon Log Format (BETA).
  • Added support for some types of "crashinfo" events for Cisco PIX/ASA/Router/Switch Log Format (BETA).
  • Improved FreeRADIUS to support all-capital month names.
  • Enhanced support for the Firebox x1000 format (among possible others) in the Watchguard Log Format plug-in. More types of TCP flags and lines with multiple TCP flags are now supported. A file with flags on all lines will now autodetect. The field "parameter" is now called "flags" to reflect its actual use.
  • Added support for version 5.2 to the Aladdin eSafe Sessions Log Format v5 plug-in and split the field "File Name\Mail Subject" field based on value of File Type, that is, if there is a file type, assume it is a file name, otherwise it is a mail subject.
  • Enhanced the Zyxel Firewall WELF Log Format to support newlines in the "msg" field. Without this support, information, such as Anti-Virus info, that followed the "msg" field was lost.
  • Increased number of lines examined during format auto-detection to 100 in "Oracle Listener Log Format".
  • Enhanced Symantec AntiVirus Corporate Edition plug-in to rewrite several additional fields to human-readable values.
  • Added enhanced error detection and reporting during Send Bug Report, so errors contacting the SMTP server to send a bug report, or other errors during the process, are reported in the web browser page when the bug reportis submitted.
  • Enhanced the "Novell iChain Extended (W3C) Web Server Log Format" plug-in.
  • Enhanced the Amavis log format plug-in.
  • Enhanced the Apache Combined (syslog required) log format plug-in to handle a slight variant.
  • Added parsing of Anti-Spam and Anti-Virus log lines to the NetScreen Log Format (BETA).
  • Enhanced Filezilla Server format to handle a new variant.
  • Enhanced IIS SMTP W3C format to include bytes transferred.
  • Changed field name "hits" to more accurate "events" in "Oracle Listener Log Format".
  • Added beta support for the IBM Tivoli NetView Log Format.
  • Added support for SurfControl "URL BLOCKED" entries to the beta NetScreen Log Format.
  • Added support for a new variant of EIMS SMTP (24 hour) Log Format.
  • Enhanced the "beta" postfix plug-in to handle a slight variant.
  • Improved Limelight plug-in; added better field labels.
  • Enhanced the "beta" IIS SMTP W3C Log Format to support another format variant. It now collects the server response from server response lines or from the sc-status field, whichever is available. It also now collects client-to-server bytes and server-to-client bytes from DATA and BDAT operations.
  • Enhanced the Juniper Secure Access SSL VPN Log Format (BETA) plug-in to allow users to configure the Host Checker rule and policy names for which passes and failures are counted.
  • Added "beta" support for the BroadWeb NetKeeper Log Format.
  • Added url field and associated derived fields and log filters to the Juniper Secure Access SSL VPN Log Format.
  • Added support for a log format variant that has no "Incoming client version" lines to "CT Mod 10 Nortel Contivity Log Format". (Note that there is an improved version of this plug-in called "Nortel Contivity Log Format (BETA)".)
  • Added support for a log format variant that has no time stamp to "Nortel Contivity Log Format (BETA)". (Note that there is an earlier version of this plug-in called "CT Mod 10 Nortel Contivity Log Format".)
  • Enhanced the Juniper Secure Access SSL VPN Log Format (BETA) plug-in to allow Host Checker rule or policy pass events to be tracked that are not explicitly in the log. This feature relies on user configuration of LogAnalysisInfo/rewrite_rules/host_checker.cfg. Also customized Host Checker reports.
  • Added expansion of Salang expressions in report headers and footers.
  • Added support for %I and %O LogFormat directives for Apache Custom format.
  • Added suport to the IronPort Log Format (BETA) for a format variant from Async OS version 4.6 which does not label lines with "Info:" and and "Warning:", at least with syslog. (Note that 4.7 was already supported.) Added rekeying of entries to avoid losing syslog info. Added handling of rewritten MIDs to pick up more antivirus info.
  • Added support to the Microsoft Media Server Log Format for a format variant where the field cs-uri-stem has been renamed (more accurately) cs-url.
  • Added expansion of Salang expressions in the "-of" command line option. For example, -of "/reports/report_{= replace_all(substr(epoc_to_date_time(now()), 0, 11), '/', '_') =}" will generate a file name with today's date at the end of it.
  • Added support to the Juniper/Netscreen Secure Access Log Format (BETA) for TCPPkt lines.
  • Enhanced Clavister Firewall support to handle differently-ordered fields.
  • Added the unique total to the sub-total and total rows of reports for unique numeric columns. The percent column, if it is visible, for unique numeric columns, will use this total instead of the sum of the values in the column. (Percents in the rows will not add up to 100% if there is overlap among the unique values, but the totals row will show 100% because the total will be the total of all unique values for that column.)
  • Enhanced the "beta" postfix plug-in to handle a new variant (2.4).
  • Added support for the GeoIP Organization database (with separate purchase and download of the database).
  • Added support for the GeoIP ISP database (with separate purchase and download of the database).
  • Added support for the GeoIP Domain database (with separate purchase and download of the database).
  • Fixed a bug where, in a report filter, an OR of empty "matches" expressions (e.g. '(page matches "zzz*") or (page matches "yyy*")' where there were no pages matching either) would select everything, instead of selecting nothing as it should.
  • Enhanced Barracuda Spam Firewall plug-in to extract much more information; also fixed some errors with extraction.
  • Added a server session timeout preference; web access to Sawmill times out automatically if the session is inactive longer than the specified value.
  • Enhanced memory management of "beta" IronPort plug-in, to prevent excessive memory usage on very large datasets.
  • Worked around a bug in Microsoft Media Server where x-duration could overflow, resulting in very large durations.
  • Optimized authentication command line so it is called only once per authenticated session (instead of once per page).
  • Enhanced Gene6FTP support to add support for DELE, RETO and REFR lines.
  • Added support for Wowza Media Server log format.
  • Fixed a bug with Blue Coat W3C format, where the time-taken field was reported in seconds, rather than milliseconds.

Version 7.2.9, shipped February 09, 2007

Bugs fixed in version 7.2.9:

  • Fixed a bug which could cause a crash when rendering tables with subtables, if there were more than two non-aggregating (string) columns.
  • Fixed a bug where the referrer field was not handled properly in Apache Custom data; the referrer field was not given the correct 1-to-3 hierarchy, and the "search engine" and "search phrases" reports were not created.
  • Fixed a bug in the Blue Coat W3C Log Format (ELFF) preventing correct parsing of logs with date and time fields instead of a localtime field in the W3C header.
  • Fixed a bug in the Blue Coat W3C Log Format (ELFF) where a GMT offset in the localtime field would be treated as the next field.
  • Fixed a bug which could cause an error if a Report Filter specified in the report editor contained a literal $.
  • Fixed a bug where scheduled tasks would compute the previous day based on the current time in GMT, rather than the current time, sometimes resulting in a "yesterday" report containing data from two days ago.
  • Fixed bug where month names were incorrectly displaying in non-English installations, if the month name was more than three bytes long.
  • Fixed a bug where action emails did not include To: or From: headers.
  • Fixed a bug where month names were not translated in graphs, in non-English installations.
  • Fixed a bug where capitalized month names were not correctly recognized in Free Radius logs.
  • Fixed a bug with the "beta" plug-in for Interscan Messaging Security Suite, which caused some fields to not be tracked in some variants of the format.
  • Fixed a bug with the "beta" plug-in for Postfix, where an Empty node name error would occur when building a database.
  • Fixed a bug which would cause an error on Solaris, when converting the charset of the log date, or of CSV export data.
  • Fixed a bug which could cause unreasonably high memory usage while generating reports, sometimes resulting in an out-of-memory error "while expanding fstring buffer".
  • Fixed a bug which would cause Sawmill to process Windows dump evt logs while consuming high disk and CPU resources, and seeing extremely slow processing times.
  • Fixed a bug where command-line options containing plusses (+) were not handled properly, resulting in command-line parsing errors.
  • Fixed a bug in the beta plug-in for Cisco PIX/ASA/Router/Switch Log Format where the "Destination service" was not being set.
  • Fixed a bug which would cause an error "Unknown variable 'lang_admin.action_emails.actions.remove_database_data'" when sending an action email for a remove_database_data operation.
  • Fixed a bug which could cause errors on Windows, when using a command line argument containing spaces, and ending with a slash. Among other things, this would cause an error when generating all reports to an HTML folder when the folder name contained a space.
  • Fixed a bug where in some cases, three-digit negative integers like -123 would be displayed as -,123.
  • Fixed a bug where log entries using EPOC format (seconds since 1970) were rejected as corrupt, if the date/time was older than 08/Sep/2001 18:46:40.

New features in 7.2.9:

  • Added "BETA" support for the Datagram Syslog Format.
  • The Cisco PIX/ASA/Router/Switch Log Format now handles negative connection numbers in "Built" and "Teardown" events.
  • Added "BETA" support for the Metavante CEB Failed Logins Log Format.
  • Changed the Juniper Secure Access SSL VPN Log Format to be a "Syslog Required" format. The standalone version is still supported by selecting the "No Syslog Header" syslog format.
  • Enhanced Microsoft Media Server log format, to track successful events (called "clips") as well as all events (called "events"), so averages shows averages over successful events.
  • Enhanced Interscan Messaging Security Suite log format to handle a slight variant.
  • Enhanced Snare format to extract a different format of "action" field, to handle Windows pathnames with drive letters in field value, and to handle slight variations in spacing between fields.
  • Added support for LRS VPSX Accounting Log Format.
  • Added support for a new variant of qmail-scanner logs, with dd/mm/yyyy format dates.
  • Enhanced ISA CSV format to track all fields, using proper names, and to track all numerical fields, and to group reports.
  • Added support for Limelight Flash format.
  • Fixed a bug where emails send by Sawmill on Windows would not display the correct time when viewed in some mail clients (especially Outlook Express).
  • Enhanced IronPort plug-in to handle a variant.
  • Enhanced Ironmail Spam format to extract IP information from the RBL record.
  • Added "BETA" support for the OpenBSD Packet Filter (tcpdump -neqttr) Firewall Log Format
  • Added support for IronPort logging to a syslog server, in the "beta" IronPort plug-in.
  • Enhanced the "beta" plug-in for "Juniper Secure Access SSL VPN Log Format": Added detailed reporting of Host Checker policy failures and numeric fields to count unique users failing each Host Checker rule. Added Sessions reporting to capture such information as maximum concurrent users.
  • Extended the existing MDaemon 8 log format plug-in to support a slightly different variant of the log format.
  • Added support for TACACS Accounting log format.
  • Enhanced Zywall plug-in to group reports, and to include a new Security group.
  • Improved the tracking of connections in Cisco PIX/ASA/Router/Switch Log Format (BETA).
  • Added support for additional types and formats of "Deny" events for Cisco PIX/ASA/Router/Switch Log Format (BETA).
  • Enhanced the Firewall-1 NG format to support many more fields, to group reports, and to track many numerical fields.
  • Added a beta plug-in for the Sidewinder Firewall Log Format which supports the Sidewinder 6.1.003 format in addition to already supported versions.
  • Enhanced MAILsweeper plug-in to support a new variant.

Version 7.2.8, shipped November 06, 2006

Bugs fixed in version 7.2.8:

  • Fixed a bug where date/time information could not be displayed as a pie chart; it would always appear as a bar or line graph, even if a pie chart was requested.
  • Fixed a bug where numerical fields of type float, and aggregation operator "sum", would be truncated to about 2 billion (2GB), or it would be wrapped to smaller and possibly negative numbers.
  • Fixed a bug where non-derived database fields with no corresponding log fields in Netgear Security Log Format caused errors during report generation.
  • Improved the "beta" plug-in for the Backup Exec Log Format (XML). The plug-in now handles CDATAs, multi-line tags and extremely large numbers of backed-up files.
  • Fixed a bug where the text of the Use Sawmill button in the windows Sawmill.exe program was not internationalizable.
  • Fixed a bug which would give a "no such directory" error after connecting to a password-protected share through the File Browser, if the share name contained a $ (the share was correctly connected, but was not correctly displayed on the next page).
  • Fixed a problem where Windows sometimes tried to start Sawmill in C:\, when running as a service; this caused it to fail. SawmillService.exe now explicitly changes to the installation directory before running SawmillCL.exe.
  • Fixed a bug where 24-bit screen depths were not reported in the Screen Depths report.

New features in 7.2.8:

  • Added "BETA" support for Separ URL Filter Log Format.
  • Added an improved "beta" plug-in for Helix Universal Proxy log format.
  • Added "BETA" support for Netgear FVL328 Log Format (logging to syslog).
  • Added "BETA" support for Web Sense Log Format.
  • Added improved "BETA" plug-ins for Argosoft Mail Server Log Format to support a format variation and dd-mm-yyyy dates.
  • Added support for version 200A to "beta" plug-in for FortiGate Log Format.
  • Added "BETA" support for Aventail Web Access Log Format.
  • Added "BETA" support for IBM Tivoli Access Manager WebSEAL Log Format.
  • Enhanced Sidewinder Firewall and Sidewinder Syslog formats to track more fields, and to group reports.
  • Added "BETA" support for SiteMinder Policy Server Log Format.

Version 7.2.7, shipped October 06, 2006

Bugs fixed in version 7.2.7:

  • Fixed a bug where times in log data with AM/PM specified would be misreported; noon-1pm would be reported as midnight-1am, and midnight-1am would be reported as noon-1pm.
  • Fixed a bug in handling of dd/mm/yy formats in log data, which could cause a crash if mm was greater than 12.
  • Fixed a bug in the send_email() function where the message had to end with \r\n.
  • Worked around a problem where some firewalls introduced an additional space in HTTP headers, causing problems for Sawmill when Sawmill was running in web server mode and was accessed through the firewall. Problems included repeated reloads of report pages and other pages in the web interface; pages would finish loading, and would then reload, repeatedly. Sawmill now removes this additional space automatically, which works around this type of firewall issue. This is known to be an issue in ISA 2004, and is probably an issue with some other firewalls.
  • Fixed a bug in the FAQ, present only in Sawmill 7.2.6, which caused the error "Unknown variable 'docs.faq.db.duplicate_profile.question'" when clicking FAQ.
  • Fixed a bug where log filter descriptions containing variables would not be expanded; the variables would appear literally.
  • Fixed a bug which could cause a crash during log processing, if using a plug-in which used "rekey" functionality, and which rekeyed a key to itself (uncommon, but could happen in imail format).
  • Fixed a bug which could causes crashes on some Linux systems, when building the xref tables for databases with "max" or "min" numerical fields.
  • Fixed a bug which would cause an error if all reports were deleted in the Report Editor.
  • Fixed a bug where recentdays:N and similar old-style filters, did not work from the command line, and failed with an error about not being able to find node "type".
  • Fixed bug in IceCast format which could cause negative or very large total_duration_96kpbs.
  • Fixed bug in Blue Coat W3C format which could cause data to be ignored, if a dataset switched in midstream from using date and time fields, to using a localtime field.
  • Fixed a bug in Exim 4 "beta" format which could cause the error "Unknown variable 'v.name_value_pairs' in expression while processing" while building a database.
  • Fixed bug in "Symantec Security Gateways Log Format (SGS 2.0/3.0 & SEF 8.0) (BETA)" log format; mapped key "Target" to url field to get url reporting.
  • Fixed a bug where if a log source contained a UTF-16 file, followed by an 8-bit file, the 8-bit file would fail to parse.
  • Fixed a bug in the "beta" Snare plug-in which caused lines to be rejected if they ended with a space.
  • Fixed a bug which could cause single lines of log data to be split into multiple lines during processing, if the line was more than 50kiB.
  • Fixed a bug where '+' characters were not properly converted to spaces, when displaying search phrases.
  • Fixed a bug where SMTP connections from Sawmill did not send an appropriate QUIT message, resulting in errors logged in the SMTP server.
  • Fixed a bug where "action" emails did not contain full information about the task performed.
  • Fixed several bugs which could cause error message parameters to be omitted, resulting in error messages with words or other values missing.
  • Fixed a bug in the WebNibbler log format plug-in which caused search engines and search phrases to be blank in the reports.
  • Fixed a bug which could cause a crash on 64-bit Windows, when displaying empty table reports.
  • Fixed a bug which could cause an error when generating a report, if a hard-coded report filter, or report element filter, contained an expression which could not be delivered by a database xref table, and required a full table scan; the error was, "Expression not supported by field limits."
  • Fixed a bug which could cause an error about "v.icid" not existing, when building a database using the "beta" IronPort plug-in.
  • Fixed bug which could cause a hang while building a database with an FTP log source, if one of the log files was not readable on the FTP server.
  • Fixed a bug which could cause underreporting of large duration numbers in HTML reports, when they exceeded about 38 years, when using certain duration display formats ("duration_compact" and "duration"); numbers above the limit were truncated to values between 0 and 38 years.
  • Fixed a bug where "max" or "min" numerical fields were not displayed properly in tables, in some cases (they appeared as huge negative numbers).

New features in 7.2.7:

  • Improved the "beta" Cisco PIX plug-in: added extraction of user name from "Accessed URL", "Built" and "Teardown" lines, and added support for system where outgoing users are authenticated with TACACS.
  • Improved the "beta" Symantec Gateway Security plug-in, adding support for two different formats for repeated lines ("Message Count = N" and "message repeated N times"), and adding / as allowable character in a service name, and adding support for two more format variations, plus some simplification of regular expressions and flow.
  • Added "beta" support for Juniper Netscreen Secure Access log format.
  • Added "beta" support for SafeSquid Combined log format.
  • Added "beta" support for SonicWall TZ 170 log format.
  • Improved Squid (syslog required) log format to add tracking of geographic location.
  • Added support for TFS MailReport Extended Log Format.
  • Enhanced Zone Alarm support, to report on source descriptions which are not in IP:port format.
  • Added support for Nortel SSL VPN Log Format.
  • Added support for WinRoute Connection Log Format.
  • Added support for WinRoute Web Log Format.
  • Added support for Symantec Mail Security Syslog header format.
  • Enhanced IronPort beta log format to report SBRS information better.
  • Improved Windows console output of SawmillCL.exe, so messages and text displayed to console appear in the proper OEM code page on non-latin systems. This allows, e.g., Russian systems to see error messages correctly in the Command Prompt windows, instead of seeing garbled messages (due to an attempt to display UTF-8 error messages in the OEM code page).
  • Enhanced InterScan Viruswall Log Format to track HTTP message, and another format of SMTP messages.
  • Added support for CWAT log format.
  • Enhanced support for Steel Belted Radius, with a new "beta" plug-in.
  • Enhanced SonicWall 5 format to handle yyyy/mm/dd dates.
  • Added support for Syslog NG (tab-separated) format.
  • Enhanced "beta" Cisco PIX to track "Received ARP request collision" lines, and "Denied SSH session" lines.
  • Improved support for Nagios log format.
  • Enhanced "Cisco VPN Concentrator (Comma separated - MMDDYYYY)" log format; added support for disconnect lines without a "Session type"
  • Added support for "Fiserv Financial Easy Lender - Unsuccessful Login Audit" log format.
  • Added support for "Easy Lender - Login Audit - Comma Separated" log format.
  • Added support for "Apache/NCSA Combined Log Format with Syslog (BETA)" log format.
  • Enhanced "Juniper/Netscreen Secure Access Log Format (BETA)"; expanded actions collected (upload, download, etc), added new numeric fields, made it work with non-syslog, and added collection of user details (break long user string into name, realm, role).
  • Added support for "Intersafe HTTP Content Filter Log Format (BETA)" log format.
  • Added support for "Squid Common Log Format - Syslog Required" log format.
  • Fixed bug in "Netgear Security Log Format"; removed non-derived database fields with no corresponding log fields which were causing report errors.
  • Enhanced "Backup Exec Log Format (BETA)"; added server and name fields from header.
  • Added support for "Kernun DNS Proxy Log Format".
  • Added support for "Kernun HTTP Proxy Log Format".
  • Added support for "Kernun Proxy Log Format".
  • Added support for "Kernun SMTP Proxy Log Format".
  • Enhanced the "beta" Postfix plug-in to report spam information, when present.
  • Enhanced the "beta" IMSS plug-in to handle a variant in virus.log, and to report recipients better in log.log.
  • Added "beta" support for IBM HTTP Server log format.
  • Added "beta" support for Piolink Network Loadbalance log format.
  • Fixed a bug which would cause an error when building a MySQL database, if the profile contained a database field called "length".
  • Improved date/time graphing to properly graph hours, minutes, and seconds on extended date/time intervals.
  • Added "beta" support for Datagram Syslog Agent log format.
  • Enhanced the "beta" Fortigate plug-in to handle a new variant (OS 3.0).
  • Added support for Sharetech Firewall log format.
  • Fixed a bug which resulted in %-sequences not being converted in search phrases.
  • Added "beta" support for the latest Border Manager log format (an earlier non-beta plug-in, which is still included, also supports the older format).
  • Enhanced Fortinet format to track all numerical fields.
  • Improved "remove database data" for MySQL databases, by adding an OPTIMIZE TABLE step after removing the data from the main table, to compact the size of the table on disk.
  • Added a new "beta" log format plug-in for IIS SMTP W3C, which handles any combination of W3C fields being present, and tracks queued and delivered messages and bytes.

Version 7.2.6, shipped June 09, 2006

Bugs fixed in version 7.2.6:

  • Fixed a bug in cisco_vpnconcentrator format where sent bytes was reported as both sent and received bytes.
  • Fixed a bug in Unix Syslog plug-in, where if the first line of data seen by a database update was a "last line repeated" line, it would cause an error about "unknown node v.last_log_line".
  • Fixed a bug which affected most firewall and proxy plug-ins, which caused page views and file types to be calculated incorrectly (file type would be empty, and page views would be the number of total events).
  • Fixed a bug where the Paths Through A Page report could become mangled if pages contained the sequence %00, or other strange sequences.
  • Fixed a bug where if a report was generated from the "main table" of the database (i.e., if it could not be generated from any xref table), then zooming to that report would show an empty table.
  • Fixed a bug where "minimum" fields were not computed properly (they were only computed if they were less than 0).
  • Fixed a bug in the Session Overview report which could cause undereporting of number of repeat sessions when the session visitor ID field is hierarchical.
  • Fixed a bug which would cause autodetection to hang on Alpha/Linux.
  • Fixed a bug in the Quicktime Streaming Server plug-in, which would cause an error when displaying session reports.
  • Fixed a bug which could cause a crash when displaying reports, if certain types of filters were uses simultaneously, with the internal database. This bug could theoretically also affect other aspects of Sawmill, and under some circumstances, could cause corruption of the cross-reference tables during builds.
  • Fixed a bug where "bottom-level items" checkbox was missing from the report editor, when editing a subtable report.
  • Fixed a problem where a report element could be saved with no numerical fields, which would break the report and the report editor.

New features in 7.2.6:

  • Added support for an "expression" field in database fields, which specified a Salang expression to evaluate to compute the value of that field in reports. This provides almost unlimited flexibility for customizing and computing the values of table cells.
  • Added a new built-in Salang function, unique(), which returns the list of unique field values (e.g., the list of IPs, for a visitors field) for a particular filter expression.
  • Enhanced "BETA" Juniper SSL format to track TCPPkt data.
  • Added filter_initialization_syslog and filter_finalization_syslog plug-in options, to run initialization and finalization code for the syslog portion of the plug-in
  • Added maximum concurrent sessions to Sessions Overview.
  • Improved Microsoft Media Format plug-in to treat each event as a session: a login and a logout. This allows reports of maximum concurrent connections, on a per-file or per-directory basis.
  • Added detection of Firewall-1 Binary Log Format. Sawmill cannot process this log format directly because it is a binary format, but it now generates a useful error message about that, describing how to convert it to a format which Sawmill does support (using "fw log" or "fw logexport" or "fw log ftn export", or by exporting it from the Log Viewer).
  • Added support for the latest variant of SpamFilter ISP log format.
  • Added "BETA" support for Cisco NetFlow (flow-export) log format.
  • Added "BETA" support for RAIDiator Error log format.
  • Fixed a problem which could cause and "itemnum=0" error when filtering on a non-existent value in a field, using a report filter.
  • Improved Oracle Failed Logins format to handle a variant with missing fields.
  • Added support for %Y/%m/%d and %H:%M:%S format, in Apache Custom format strings.
  • Enhanced the Apache Custom plug-in to track {URI}, {Content-Length}, and source IP fields.
  • Enhanced the "beta" Symantec Gateways Security plug-in to support a new variant.
  • Added support for Metavante log format.
  • Improved SQL Profiler log format to handle dashes in dates, and to parse multi-line fields better.
  • Improved Unix Syslog plug-in to handle IPv6 addresses.
  • Added support for Aladdin Esafe Sessions logs, version 5.
  • Added support for Sonic Wall TZ 170 log format.
  • Improved Shoutcast 1.8+ format to track countries/regions/cities.
  • Improved ISC DHCP format to handle another variant, and to handle some extra fields.
  • Enhanced SHOUTcast W3C format to track unique client IPs, to categorize reports, and to report session information, including concurrent sessions.
  • Enhanced Microsoft Exchange 2000 log format to report number of unique recipients.
  • Improved date extraction in Watchguard log format when no syslog header exists.
  • Added support for Bind Update log format.
  • Added support for Event Reporter v6 log format.
  • Added support for MDaemon 8 log format.
  • Added a MacOS 10.4 distribution for Intel Macs.
  • Changed the "recent linux" distributions, both 32-bit and 64-bit, to build on CentOS 4, ensuring compatibility with Red Hat Enterprise Linux 4. Previous versions were built on Fedora Core 4, which is less compatible.

Version 7.2.5, shipped May 08, 2006

Bugs fixed in version 7.2.5:

  • Fixed a bug where profile deletion did not work from the web interface.
  • Fixed a bug in Antispam SMTP Proxy log format, where entries single-digit month days were rejected.
  • Fixed bug where sessions were not logged out by a page value of "(logout)", if that value happened to be the very last unique page encountered in the log data.
  • Fixed a bug which would cause an error when searching the documentation, when Sawmill was running in CGI mode and was configured to use a "temporary directory" to serve static files.
  • Fixed "wildcard" and "regular expression" report filters to be case-insensitive for case-insensitive fields.
  • Fixed a bug which could cause a crash when updating using "skip previously seen files" from a log source containing tens of thousands of files.
  • Fixed a bug which could cause a slow updates when updating using "skip previously seen files" from a log source containing tens of thousands of files.
  • Fixed a bug which would cause an error when generating the Log Detail report, if it contained more than 61 non-numerical columns, when using a MySQL database.
  • Fixed a bug which could cause a crash while generating reports from a MySQL database, if one or more of the numerical column names conflicted with MySQL keywords.
  • Fixed a bug in the Sawmill service which caused it to fail to start on some Windows systems. This could theoretically affect any Windows system, but apparently does not affect most, and was only actually seen on some (not all) Windows 2003 Enterprise systems.
  • Unix syslog; extraction of the year portion of the date from file name changed to use a more restrictive regular expression.
  • Fixed a problem where license keys would be considered invalid if they were entered with capital letters.
  • Fixed a bug where numerical database fields which aggregated using the "maximum" or "minimum" operators were not aggregated properly when using a MySQL database (they were summed instead).

New features in 7.2.5:

  • Added "beta" support for Flash Media Player log format.
  • Enhanced Ironmail Spam log format to handle a variant.
  • Enhanced "beta" Cisco plug-in to handle a few additional lines, and to report the "list" field.
  • Enhanced Barracuda Spam Firewall to report BLOCKED lines.
  • Enhanced Microsoft Exchange 2000/2003 log format to report sender and recipient domains, and to group reports.
  • Added "beta" support for nmap log format.
  • Enhanced the "beta" Symantec Gateway Security plug-in to handle integer month names.
  • Added "beta" support for PeopleSoft AppServer Log Format.
  • Improved Kiwi mm/dd/yyyy format to allow logging_device and syslog_priority to be in either order.

Version 7.2.4, shipped April 07, 2006

Bugs fixed in version 7.2.4:

  • Fixed a bug where sorting by an "average" field would actually sort on the sum of the field values, and where an "average" graph would actually graph the sum.
  • Fixed a bug where if you zoomed on a date/time value, then zoomed on a session user, it would result in an error, "Couldn't find node 'xyz' in language.english.lang_stats.months_short".
  • Fixed a bug which would cause drive mapping to fail from the File Browser in Windows.
  • Fixed a bug which would cause new data to be discarded at the end of a CSV file, if the database was built from a partial CSV file, then later updated from a longer version of the same file. In that case, Sawmill would not add the new data.
  • Enhanced dumpel format to report the "strings" field.
  • Fixed a bug which could cause a crash if LogAnalysisInfo was relocated using LogAnalysisInfoDirLoc, and the new location was a very long pathname.
  • Fixed a bug where the "previously processed filenames" list was not updated on database update, so Sawmill was falling back on slower checksum-based log data skipping, when it should have been doing faster filename-based skipping.
  • Fixed a bug in Apache Custom format which could cause an error about "unknown field 'referrer'" when building a database from a log file which does not contain a referrer field.
  • Improved/fixed detection of Windows 2003 Server, Windows .NET Server, and Vista in user agent fields.
  • Fixed a bug in charset conversion, where if the input log data was being converted to a different charset than its native charset, a few characters (up to one every 10,000 bytes) could be dropped from the data. This could affect the skipping algorithm used to determine what data was already in the database, causing an update to re-add data which was already there.
  • Fixed a bug which would cause an error a about "file in use by another process" when viewing Single-Page Summary on Windows, if a filter set was selected which discarded all session events, or if there were no session events in the log data.
  • Fixed a bug in Blue Coat W3C support which would cause an error when viewing the Single-page summary, when processing data with "date" and "time" fields separate.
  • Fixed a problem with the user-agent parser which would incorrectly categorize some Windows 2003 systems as Windows Vista.
  • Fixed a bug which could cause incorrect parsing of date/time values in W3C data which had both a time-taken field and a time field.
  • Fixed a bug in the tracking of log lines processed, which could result in them lines processing being overreported by as much as 2x, for some log formats (those which uses accept/collect to parse). This was a cosmetic bug, affecting the progress display; the numbers in report were not affected.
  • Fixed a bug where the service did not start properly on x64 Windows.
  • Fixed a memory leak which could cause high memory usage (or out-of-memory errors) while generating reports.
  • Fixed a memory leak which could cause high memory usage (or out-of-memory errors) while building a database, especially when using a log format plug-in with complex parsing filters.
  • Fixed a bug which would cause an error about "item is its own superitem" when doing a MySQL database build, if the referrer field (or another URL field) ended in a question mark (?), and the log format plug-in did not list a question mark as the hierarchy divider for that field.
  • Fixed a bug where the Cisco Voice Router plug-in did not handle one-digit days properly.

New features in 7.2.4:

  • Enhanced "beta" Cisco PIX support to handle access-list lines, and to handle hit-cnt lines.
  • Added support for wildcard expressions in "session contains" filters.
  • Added support for Aventail Client/Server Access log format.
  • Added "beta" support for Instagate Syslog format.
  • Added "beta" support for RACF Security log format.
  • Enhanced RACF Security log format to extra username, intent, and allowed fields.
  • Added "beta" support for SmartFilter (Bess) Log Format.
  • Added -sb (sort_by) and -sd (sort_direction) options which can be used on the command line, or in the Extra Options of the Scheduler, to temporarily override the sort_by order and sort_direction.
  • Enhanced EIMS 24-hour format with a new "beta" plug-in which tracks a new log line format.
  • Enhanced Microsoft Media Player format to add play duration per visitor, and play duration per clip.
  • Improved the File Browser to jump straight to a share or drive after it is authenticated or mapped.
  • Added support for field named "date-time" in W3C headers, with EPOC format.
  • Enhanced the Cisco PIX "beta" plug-in to handle PIX, ASA, Router, and Switch messages in a single plug-in.
  • Added "beta" support for Kiwi Syslog (Logged to Access MDB, then exported tab-separated).
  • Enhanced Symantec SGS format to handle German month names.
  • Added "beta" support for log4j Log Format.
  • Added a a line showing the number of files matched, to the "Show Matching Files" window.
  • Enhanced IceCast version to track total and average durations (based on 96kbps stream), and to track 15+ minute sessions. This can be used to report FC Cume and other radio metrics.
  • Added support for a new variant of Free Radius Detail log format.
  • Added a support for specifying the ending row of a CSV export, using -er from the command line.
  • Added a new -tr command line option, which when true, includes a Total row in CSV export, similar to the one that appears in HTML reports.
  • Added a new -of command line option, which when specified, causes CSV export output to be generated to the specified file, rather than to standard output.
  • Added a new -eol command line option, which when specified, overides the default end-of-line character used in CSV output.
  • Added "beta" support for EventReporter log format.
  • Enhanced the "beta" Mail Enable plug-in to show POP3 events.
  • Added "beta" support for iptables config log format.
  • Added "beta" support for Netscreen Neoteris Web Client Export log format.
  • Added "beta" support for Barracuda Spyware Firewall log format.
  • Enhanced "beta" sendmail plug-in to track queued and delivered messages (and bytes) separately.
  • Enhanced RADIUS Accounting log format to track maximum connections.

Version 7.2.3, shipped March 06, 2006

Bugs fixed in version 7.2.3:

  • Fixed bug where month names appeared in English in Individual Sessions, and in the date range display at the top of reports, regardless of the selected language.
  • Fixed bug which could cause an error "Unknown variable 'lang_admin.log_filters.simplify_referrer_label' in expression" when viewing Log Filters.
  • Enhanced the "beta" Mail Enable plug-in to handle two-digit years.
  • Fixed a bug in Coradiant Object v2 format which would cause an error "Unknown variable 'cs_referrer'" when building the database.
  • Fixed a bug in the "beta" Cisco PIX plug-in which could cause the error "Syntax error: Expected variable, subexpression, or identifier -- found <" when building a database.

New features in 7.2.3:

  • Enhanced Exim 4 log format to report Antibody information, if present.
  • Added verification of LogAnalysisInfo version, to ensure that a Sawmill binary is not used with a mismatched LogAnalysisInfo directory.

Version 7.2.2, shipped March 03, 2006

Bugs fixed in version 7.2.2:

  • Fixed a bug where DNS lookups were not cached, resulting in very slow performance when using DNS lookup.
  • Fixed a bug in "beta" IMSS log format, where some "Received by" lines were ignored.
  • Fixed a bug which would cause an error during log processing, if the build was done from the command line with the "-v f" option, and a log filter used starts_with() or ends_with(), and one of the values used by the function contained a dollar sign.
  • Fixed a bug which could cause a crash when running Sawmill on a SPARC processor, during the cross-reference table build step of database builds, if there was a floating point numerical field in the database.
  • Fixed ISA/CSV format to handle one-digit hours.
  • Fixed a bug in ISA W3C which would cause an error when processing log data which did not have a cs-uri.
  • Fixed a bug where if an FTP password contained a plus sign (+), the Create Profile wizard would fail with an "Unknown command line options" error.
  • Fixed a bug where the "logo" line was generated to the console for each new process spawned, instead of just once.
  • Fixed a bug which could cause a crash during databases builds, especially with very large datasets.
  • Fixed a bug where the LogAnalysisInfoDirLoc file contents was ignored, causing an error if LogAnalysisInfo had been relocated by putting its pathname in that file.
  • Fixed a bug which could cause a crash if a web server click took too long to process.
  • Increased the timeout for web server clicks to 60 seconds (from 10), so documentation searches (and other long processes) taking more than 10 seconds will not time out.
  • Fixed a bug which could cause an error about "node type not found in ... framed_portocol" when analyzing IAS log data.
  • Added support for "last message was repeated N times" lines in UNIX syslog. The UNIX syslog plug-in now properly identifies these lines, and uses them to replicate the previous line N times, so the correct number of events appear in reports.
  • Fixed a bug where if a database was corrupt in a certain way (missing itemnums table), it could not be rebuilt from the web interface, because clicking Rebuild Database would give an error.
  • Fixed a bug where CSV exported files did not download properly when using Sawmill in CGI mode.
  • Fixed a bug which could cause a crash when viewing reports, if the database was corrupt in a certain way (in particular, if the "items" table did not exist in the database, or was not fully built).

New features in 7.2.2:

  • Added support for DansGuardian 2.9 log format.
  • Added "beta" support for Mailman Post Log Format.
  • Added "beta" support for Watchguard XML log format.
  • Added "beta" support for Windows Firewall log format.
  • Added an improved "beta" Amavis log format plug-in.
  • Added "beta" support for Cisco As5300 Log Format.
  • Added Polish translation of Sawmill.
  • Added "beta" support for McAfee WebShield XML format.
  • Added support for \t and %% in Apache LogFormat directives.
  • Added "beta" support for XWall log format.
  • Added "beta" support for Snare for AIX log format.
  • Added a new "No Syslog" plug-in which can be used to report on log data which sometimes has a syslog header, but does not in this case, using the standard "device" plug-in for that format.
  • Enhanced the "beta" Snare plug-in to extract timestamp information from the Snare data, if present.
  • Added "beta" support for Internet Security Systems Network Sensors log format.
  • Enhanced Domino Access log format support to track processing time, cookies, and translated URL.
  • Added "beta" support for Juniper Secure Access SSL VPN Log Format.
  • Enhanced Argsoft Mail Server Log Format to handle a slight variant with AM/PM times, slashes instead of dashes in dates, and some slightly different spacing from the older format.
  • Added "beta" support for Sourcefile IDS log format.
  • Added "beta" support for AutoAdmin log format.
  • Enhanced Symantec Security Gateways Log Format to support a slight date variant.
  • Enhanced Symantec Antivirus plug-in to handle a slight variant.
  • Added "beta" support for Annex Term Server log format.
  • Added a new "beta" version of IAS CSV log format. The new version categorizes reports for a much nicer report menu, and tracks many additional database fields, including octets and packets.
  • Added support for direct serving of static HTML files through Sawmill's built-in web server. This makes it possible to generate HTML report to LogAnalysisInfo/WebServerRoot, and serve them from there directly.
  • Added "beta" support for Flex/JRun Log Format.
  • Added "beta" support for Netscreen Web Client Export Log Format.
  • Added "beta" support for Kerio Mailserver Mail Log Format.
  • Added "beta" support for Bintec VPN 25 or XL Log Format.
  • Added support for Novell Border Manager Log Format logs with a W3C header.
  • Added "beta" support for Backup Exec Log Format.
  • Added a new "beta" version of Argosoft Mail Server Log Format, which tracks much more information, including messages queued vs. delivered, multiple recipients, and connections rejected.
  • Changed log processing order to process the newest file (based on modification date) first. This helps with a common problem with IIS logs (for instance) where the oldest log has less complete headers than the newest log (because fields have been turned on); profile creation in this case needs to be done based on the newest log, not the oldest one, to get best results. This change in order ensures that the profile creation will be based on the newest log data.
  • Added "beta" support for MPS log format.
  • Added "beta" support for TippingPoint IPS Log Format.
  • Added a "Printer Friendly" icon to the report toolbar, for generating a version of a report formatted for printing.
  • Enhanced the "beta" Cisco PIX plug-in to autodetect ASA data, and to support "side" fields containing spaces.
  • Added detection of binary Watchguard log format. Sawmill can't process that format because it's a binary file, but it reports what it is, and describes how to export it.
  • Enhanced Barracuda Spam Firewall log format plug-in to track senders and recipient data separately, and to track quarantined, spam block, virus block, and tagged messages.
  • Enhanced "auto" date format to support any mix of upper/lower case in month names.
  • Enhanced the "Network Shares" button (formerly "Map Drives"), in the file browser, to support access to password-protected shares on Windows, without mapping them as drive letters.
  • Added additional information to the TaskLog line generated by database builds and updates, including total bytes processed, time elapsed, entries per second, and bytes per second.
  • Added support for per-profile languages (through statistics.miscellaneous.language), and per-user languages (through a language value in the user .cfg file).
  • Added "beta" support for Cisco Switch/Router Log Format.
  • Enhanced Cisco Voice Router format to track duration, bandwidth, and much more.
  • Added "beta" support for openldap Log Format.
  • Added "beta" support for Barrier Group Log Format.
  • Added "beta" support for Nortel Networks Instant Internet Log Format.
  • Added "beta" support for Performance Monitor Log Format.
  • Added "beta" support for Cisco WLAN Controller Log Format.

Version 7.2.1, shipped February 02, 2006

Bugs fixed in version 7.2.1:

  • Fixed a bug which DNS lookup which could cause crashes on some platforms, including 64-bit Windows.
  • Fixed a bug where "average" database fields reported the sum of the field values instead of the average.
  • Fixed a bug where duration_milliseconds and duration_microseconds fields omitted zeros after the decimal point, when they were displayed in HTML reports.
  • Fixed a bug where if the log time format was "auto", then times of the format "12:nn PM" would be normalized as "24:nn", resulting in an error in the "hour of day" report.
  • Fixed a bug which could cause a "floating exception" on Tru64 UNIX during database builds.
  • Fixed a bug which could cause a crash while generating a table report if: 1) the profile used a MySQL database, 2) the profile included a "unique" field like the "visitors" field fo web log analysis, and 3) the table being generated did not include that field in any column.
  • Fixed a bug with the NetScreen "beta" plug-in, where src/dest IPs were not reported for attacks.
  • Fixed a bug which could cause an error "no node 0 found in log_source" when clicking Show Matching Files, if the first log source had been deleted.
  • Fixed a bug where if scheduled tasks overlapped, the later one would sometimes not be run.
  • Fixed a bug where multiprocessor builds would fail on Windows if a custom database directory was specified, and if that directory name contained a space.
  • Fixed a bug in the handling, in Sawmill's HTTP server, of the If-Modified-Since and If-None-Matches headers; this should improve performance for caching browsers and proxy servers.
  • Fixed a bug in PIX Firewall Syslog Server Format which caused some log data to fail to parse.
  • Fixed a bug which could cause a crash when generating a report table, when using a MySQL database, if the table contained both unique and non-unique rows, and if at least one of the rows had all zeros for the non-unique columns.
  • Fixed a bug with NetApp, where entries could be rejected due to date/time corruption, though the date/time values were not actually corrupt.
  • Fixed a bug where the Apache LogFormat directive parser did not recognize special fields, like User-Agent, unless they were capitalized just the way it expected.
  • Fixed a bug which occurred when using the internal database, where if a database field was case-insensitive, and a value occured with different cases in different places in the log data, zooming on that value would show only some of the items below it.
  • Fixed a bug which could cause some files not to load while using the web interface, resulting in sporadic cases where certain frames or files did not appear.
  • Fixed a bug which could cause some portions of pages to load (e.g., CSS or JS files) when accessing Sawmill through the web browser interface.

New features in 7.2.1:

  • Added "BETA" support for Lancom Router Log Format.
  • Added support for Sophos Antispam Message Log Format.
  • Added an Italian language translation of the reports and the Admin interface.
  • Added a "BETA" Sendmail plug-in which parses logs data faster, and tracks more fields.
  • Added "BETA" support for msieser SMTP log format.
  • Enhanced praudit "BETA" plug-in to handle -l format.
  • Added an Active Tasks section in the Admin page, showing information about active tasks, including time elapsed and progress information.
  • Added a Task Log section to the Admin page, showing the contents of the TaskLog file.
  • Enhanced praudit "BETA" plug-in to handle Snare/Solaris logs.
  • Enhanced the "beta" Cisco PIX plug-in to handle a different type of Deny line.
  • Enhanced the "dumpevt" Windows Event Log plug-in to handle a different data format "d/m/yyyy".
  • Added a limited Scheduler in Lite tier. This version of the Scheduler can update databases, rebuild databases, and send email, but does not have the "extra options" field of the full Scheduler, and cannot do other tasks.
  • Greatly enhanced support for Zyxel Firewall WELF Log Format; added tracking of all numerical fields, and some fields which were not tracked before. Added support for a variant with a leading date stamp in the syslog message.
  • Added "beta" support for Scanmail for Exchange log format.
  • Added an option to change the MySQL socket file pathname.
  • Changed internal filenames to always be less than 32 characters long, to work in environments which do not allow long filenames.
  • Enhanced "beta" fortigate plug-in to handle additional fields, including URL and username, which are present in some variants.
  • Added support for user agent fields which use underbars instead of spaces, for example Windows Media Server.

Version 7.2, shipped December 19, 2005

Bugs fixed in version 7.2:

  • Fixed a bug which caused MySQL builds to immediately fail when the MySQL server was configured to use a port that was not then the default port, 3306, regardless of if the user specified host:port in the GUI field.
  • Fixed a bug which could cause an error when editing Log Filters in a profile analyzing Snare log data.
  • Fixed a bug which could cause an error when building a database in a profile analyzing Interscan Web Security Suite log data.
  • Fixed a bug which where the number of visitors was always shown as 1, when analyzing Quicktime Streaming Server logs.
  • Fixed a bug which could cause an error (about an item's number being the same as its parent) when processing log data with a MySQL database, if the log data contained field values ending with spaces, and other identical values which did not end with spaces.
  • Fixed a bug where zooming on a value would show 0 events, if the value contained a backslash ('\') followed by an 'n'.
  • Eliminated potential problems with corruption of IPNumberCache by eliminating IPNumberCache. This file, which used to live in LogAnalysisInfo, kept a cache of all previously looked-up DNS addresses. But it didn't honor the DNS TTL option, and could become corrupt during multiprocessor builds in some cases. Plus, it didn't improve performance much. So it's gone now. The memory cache, which definitely does improve performance, is still there, but is discarded after each build.
  • Improved Create Profile wizard to show progress during autodetection, solving a problem where very large compressed files on FTP sites could cause the browser to time out while autodetecting.
  • Fixed a bug where multiprocessor MySQL builds could fail due to conflict between the threads in access of itemnums tables, resulting in errors like "insert into fielditemnum set field = 'xxxx' (Duplicate entry 'xxxx' for key 2)".
  • Fixed a bug where multiprocessor MySQL builds could fail at the end with an error like "table fieldsubitem1 does not exist".
  • Fixed several issues with SQL queries which caused errors when using Sawmill with MySQL Cluster, with a default table type of ndbcluster.
  • Fixed problems with x-timestamp fields in W3C and fields with square brackets, where the brackets would be treated as quotes, resulting incorrect field values.
  • Fixed a bug in ProxyPlus log format which could cause an error about the authenticated_user field not being defined.
  • Fixed a problem where the NetCache NetApp plug-in reported full URL values, resulting in extreme memory usage for large datasets.
  • Fixed a bug where "unique" values (e.g., visitors, in web log analysis), could be underreported in some table reports, when complex report filters were used. The values would be reported as values typically between 10,000 and 15,000, even if the correct values were much higher.
  • Fixed a bug which caused an error when running a binary of Sawmill built from encrypted source on Itanium HP-UX.
  • Fixed a bug where when running Sawmill with the -scheduler option (e.g., using the Sawmill Scheduler in CGI mode), which caused the last task to terminate before completion.
  • Fixed a bug which could cause a MySQL build error if a database field was named "count" in a profile.
  • Fixed bug which could cause a progress prediction error when displaying a multi-element report with disabled report elements.
  • Added a "beta" log format plug-in for Apache Extended. The new version tracks several new numerical fields separately from normal hits and page views (spiders, worms, errors, broken links, and screen info hits); and it includes a new broken links report which shows broken links with referrer URLs.
  • Added a new discard_expired_entries option to fix a bug where some log format plug-ins, including Postfix, would never discard old collected log entries, resulting in a gradually growing memory usage which could, given enough log data, exceed the available system RAM.
  • Fixed a memory leak with certain log format plug-ins (those which use "rekey" functionality), and certain datasets (those with duplicate keys) which could cause gradually growing memory usage during log processing.
  • Improved performance of subitem table merges during MySQL multiprocessor builds. This can be a very long process for extremely complex fields; in one case, the previous algorithm took 150 minutes for a particular dataset, and the new one takes 40 minutes.
  • Fixed a bug in passlogd log format which could cause all log entries to be ignored.
  • Fixed a memory management inefficiency which could cause extreme memory allocation for a short time while computing a report with complex filters.
  • Fixed a bug where the cross-reference tables would not be up to date with the final few lines of data in the main table, resulting in slightly low numbers. This could happen in particular in multiprocessor builds using the internal database.
  • Fixed a bug which would cause a useless (redundant) profiles.cfg file to be written to LogAnalysisInfo when deleting a profile.
  • Fixed a bug where the expand_path_greater_than value did not expand at all when it was set to 0.
  • Fixed a bug where the values "max" and "min" for the aggregation_method parameter did not work properly; it was expecting "maximum" and "minimum", contrary to docs, and furthermore, it was accepting the parameter to be called aggregation_operator. aggregation_method is the correct parameter name, and "max" and "min" are the correct values, and they now work (aggregation_operator and "maximum" and "minimum" will also work, for compatibility, but may be deprecated at some point).
  • Fixed a bug which could cause an error when building a MySQL database, if the log data contained a field value with a leading divider, for a right-to-left hierarchical field, e.g., the value @yahoo.com in a hierarchical email field.
  • Added "beta" support for du log format.
  • Fixed Symantec Antivirus plug-in to better differentiate different line layouts.
  • Fixed a bug where expressions in custom report headers/footers were not expanded on HTML export.
  • Fixed a bug where deleting a profile created a "profiles" file in the LogAnalysisInfo directory.
  • Fixed a bug in the left menu where the active menu item was not indicated at startup
  • Fixed a bug where custom report and report element headers/footers became deleted upon editing a report via the GUI.
  • Improved the users form so that a single administrator cannot be deleted.
  • Improved the admin licensing page and added license validation.
  • Improved setup/login for first time installation, added a wizard like setup.
  • Improved the trial switch so that the trial mode can be changed from the admin GUI.
  • Added About section which shows the version number.
  • Added support page to admin interface.
  • Fixed a bug where if there was an N-profile license installed, and also an unlimited-profile license, it would not allow more than N profiles to be used.
  • Fixed a bug which could cause an error on profile creation (and possibly other times), if a profile was being rewritten just as it was being read by another process. This could cause a variety of errors, including "node database not found" or "unterminated quote" or "unexpected end of configuration".
  • Fixed a bug where commas (thousand dividers) were incorrectly inserted in negative numbers, resulting in numbers like -,123.45 instead of -123.45.
  • Fixed a bug where visitor numbers could be corrupted during a database merge, for instance, during a database update or a multi-processor build. The resulting database would show 1 visitor for some table rows, where it should have been several thousand.
  • Fixed a bug (introduced after 7.1.14, so affecting only some recent pre-release builds) which could cause the hour_of_day field to be added to all xref groups, instead of the date_time field, in case where there was no date_time log field.
  • Fixed a bug where rows with all zero values were included in MySQL-based report tables.
  • Fixed a bug in Snort processing where events beginning with parentheses were not displayed in the Events table.
  • Fixed a bug where Sawmill's HTTP server did not notice remote socket closes in some cases, resulting in some portions of pages failing to load.
  • Fixed a bug where if there were two report elements with subtables in a single report, the second one could contain the data of the first, in addition to its own data.

New features in 7.2:

  • Added support for UTF-16 encoded 8-bit log data.
  • Improved Create Profile wizard to load profile list at autodetect time, which eliminates a long delay at the beginning of profile creation.
  • Added a new profile option, database.options.mysql_engine, which controls the engine used for itemnum tables when using a MySQL database. When this is not specified, MyISAM is used. This option must be set to ndbcluster when using MySQL Cluster.
  • Added a new "beta" version of the Fortigate plug-in which extracts and reports much more information.
  • Added "beta" log format support for Firepass.
  • Added "beta" log format support for TACAS+ Accounting log format.
  • Added "beta" log format support for NetScreen log format. The new version tracks much more information.
  • Added "beta" log format support for Nortel Contivity. The new version tracks much more information, including usernames for HTTP events.
  • Added "beta" log format support for IIS SMTP Comma-Separated log format.
  • Added "beta" log format for Cisco PIX. This is much faster to process log data than the production PIX/IOS plug-in, and adds reporting of services, and adds reporting of various two-field tables (e.g., destination IP by source IP).
  • Added "beta" log format for MailEnable W3C format. The new version tracks messages in much more detail, tracks messages sent and received, tracks bandwidth in both directions, tracks errors, and more.
  • Added a "simplify URL" log filter to all proxy/firewall formats, to chop off the "pathname" portion of the URL. This filter was present in many proxy/firewall log format plug-ins, to keep the database from getting overly complex, but had not been added to many others, including MS Proxy formats. Without this filter, the memory usage exceeded 1GB for one dataset; with the filter, memory usage was under 100MB.
  • Added a "simply URL" log filter to MS Proxy formats, to chop off the "pathname" portion of the URL. This filter is present in most proxy log format plug-ins, to keep the database from getting overly complex, but had not been added to the MS Proxy plug-ins. Without this filter, the memory usage exceeded 1GB for one dataset; with the filter, memory usage was under 100MB.
  • Added support for per-report-element and per-report headers and footers.
  • Added "beta" support for Symantec Antivirus log format
  • Added a new improved "beta" plug-in for Postfix. The new version breaks from/to fields hierarchically, and breaks traffic into independently tracked numerical fields: messages delivered, messages processed, messages blocked, messages expired, messages delivered, messages bounced, bytes delivered, bytes processed, bytes blocked, bytes expired, bytes delivered, and bytes bounced.
  • Enhanced Single-page Summary so it is computed (when the profile is created) by cloning all other reports. Previously, it was created separately, so some report would not be present, and some customized report settings would not apply to the single-page summary. Now, all report customization done in the log format plug-in applies automatically to the version of the report in the single-page summary
  • Added a new improved "beta" plug-in for Snare. The new one extracts much more information, and supports a wider range of messages.
  • Added "beta" support for Ascenlink Log Format.
  • Added a new "-a rp" option to recreate a profile from the command line. This is useful for log format plug-in authoring, where the profile often must be recreated many times until the plug-in works.
  • Greatly expanded and improve the Custom Log Format documentation.
  • Added "beta" support for msieser HTTP Log Format.
  • Added "beta" support for Nessus Log Format.
  • Added "beta" support for an enhanced Kasper Skylabs Mailserver Log Format.
  • Added a new "-a pl" option for the command line, which processes the data in the log source, dumping the accepted entries to the standard output stream in comma-separated format, without building or modifying the database.
  • Added "beta" support for Java Administration MBEAN Log Format.
  • Fixed/improved Merak log format to handle "Client session" in the middle of some lines, and to track only events which involved messages actually being sent.
  • Added "beta" support for Trend Micro Control Manager Log Format.
  • Improved robustness by changing progress prediction errors to warnings. Progress prediction errors occur when the order of steps that are predicted for a task does not match the actual steps which occur. This occurs due to bugs, but it is difficult to predict in every case what steps will occur during a task, so there have been many bugs of this sort. This change works around this sort of bug by displaying a wanting message and patching the progress prediction to match the actual steps being taken by the task. This may mean that the steps in the progress page will change in some cases, but this sort of issue will no longer be a fatal issue, terminating the database build or report.
  • Enhanced "auto" time for to support times in the format "h:mm".
  • Improved the "create profile wizard" when using a remote log source, so instead of downloading the data (very slow for large compressed data by FTP) twice, once for autodetection and once to set up the fields, it caches the first download to make the second operation fast.
  • Added "beta" support for Symantec System Console log format.
  • Added support for associating numerical fields with database fields in log format plug-ins, so only appropriate numerical fields are added to the reports, and only appropriate numerical fields are added to the xref groups, by default.
  • Greatly enhanced the level of report customization available in the report_groups section of log format plug-ins, allowing for virtually all custom report options to be specified there.
  • Added support for mapping drives in Windows, directly from the File Browser window.
  • Added "beta" support for Netscreen SSL Gateway log format.
  • Added a "Report It" link to error messages, for reporting errors to Flowerfire.
  • Added an improved "beta" log format plug-in for Communigate Pro.
  • Added context-sensitive help links to Log Filters, Scheduler, Report Editor, and File Browser.
  • Greatly enhanced the Create Profile Wizard to include more context-sensitive help, show progress during autodetection, and improve performance. Changed page flow and page layout in the wizard to reduce the chance of error, especially when using Lite. Removed several unnecessarily options. Added an option to go straight to the reports after creating a profile. Improved wizard to load plug-in list at autodetect time, which eliminates a long delay at the beginning of profile creation.
  • Added a button to rebuild and update the database from the reports.
  • Added support for a new command line option, -er (ending_row) which overrides the ending_row option of the report being generated. This is useful for doing a command-line 1000-row export, for instance, of a report which defaults to show only 20 rows.
  • Added a new "beta" version of Interscan Web Security Suite, which tracks all log format types and includes much more advanced reporting.
  • Added a new "log.filter_finalization option to the profile. This is an expression which is run at the end of log filtering, and can be used to finish anything that needs finishing (e.g., to accept entries, or to write something to disk).
  • Eliminated the need for the "temporary directory" and "temporary URL" when running Sawmill in CGI mode. This significantly simplifies CGI mode installation.
  • Added support for file locking in Salang (the internal language). This is useful when creating log filters which must share a single read/write resource, like a map file, and need to synchronize so they don't both write it at the same time.
  • Added support for Last-Modified, Etag, If-Modified-Since, and If-None-Matches headers in Sawmill's HTTP server, to allow for caching of static files (for faster browsing).
  • Added an "Advanced Filter Expression" option in the report Filters window, for entering advanced Boolean filters, like "(recipient_address within 'someone@somewhere.com') or (sender_address within 'someone@somewhere.com')", which cannot be constructed using the other filter options.
  • Fixed a bug with command-line authentication which could cause an error "Can't find node command_line_authenticated_user in users" when command-line authentication was used.

Version 7.1.14, shipped September 08, 2005

Bugs fixed in version 7.1.14:

  • Fixed bug where memory usage could grow without bounds while building with build_indices_during_log_processing turned on.
  • Fixed a bug where "Show matching files" in the "New profile wizard" caused an error for FTP log sources with empty username or password.
  • Fixed bug which would cause an error in the "create profile" wizard if FTP passwords contained a # or a double quote.
  • Fixed a bug where "automatically update if older than" could compute the age of the database incorrectly, resulting in an unending series of updates when viewing reports.
  • Fixed conversion of if_a_then_b_c log filters, and goto_filter_number log filter actions, in Sawmill 6 configurations; converting them was causing an error during conversion.
  • Fixed a bug which could cause an error about query syntax when using certain versions of MySQL, due to the use of varchar(1000) in the query, and indices of length 1000, when some versions of MySQL do not allow more than 255.
  • Corrected extraction of date field in WebSEAL CDAS Log Format plug-in, incorrect date extraction caused all records to be ignored during rebuild or update of database.
  • Fixed a bug where the Lock files in the IPC directory were not properly deleted, leading to large numbers of them after long periods of usage.
  • Fixed a bug where errors during database building would not be reported in the web interface, if they occurred very early in processing (e.g. incorrect username for MySQL database).
  • Fixed a bug where the Browse window (the File Browser) had problems with directory names containing non-English characters, and would not process log data contained in them.
  • Fixed a bug in generate_all_report_files which always required that an Overview report exists in the left menu. A disabled Overview report caused a page loading error and a hang in the reports menu.
  • Fixed a bug in generate_all_report_files where Sawmill generated reports of a menu group although the menu group was disabled.
  • Fixed a bug in File Manager where foreign characters where not correctly interpreted.
  • Fixed a bug which cause cause an error in the Create Profile wizard when creating a profile with extremely long pathname information, or a huge number of numerical fields.
  • Fixed a bug in reports menu editor where single quotes in report menu names caused the reports menu editor to freeze.
  • Fixed a bug where if there were multiple simultaneous browsers accessing reports, with a MySQL database, it could cause an error about the table "sumstats" not existing, or already existing.
  • Fixed a bug which could cause a SQL syntax error if the database contained a field called "user", when using certain versions of MySQL.
  • Fixed a security issue (cross-scripting vulnerability). By accessing Sawmill with a carefully constructed URL, it is possible to execute arbitrary JavaScript code the web browser system. This makes it possible to hijack another user's browser's session by convincing them to click an apparently reasonable link to Sawmill. The latest version now prevents this type of malicious activity.
  • Fixed a memory leak which occurred when there were a very large number of very long lines in the log data. Memory usage in that case could be tens or hundreds of times more than it should have been, during database build. It would eventually stabilize at a high value, but that value could be 1GB or more.
  • Fixed Quicktime/Darwin Stream Server log format so it tracks full filenames by default.
  • Fixed a memory allocation issue which could cause Sawmill to use extremely large amounts of memory while building the hierarchy tables for a MySQL database (which typically occurs after the log processing, and before the xref table builds). Memory would eventually be deallocated, but it was growing unnecessarily large during that stage. It is now cleaned up regularly through that stage to keep memory usage in check.
  • Fixed a bug where the Logout link did not work properly for non-administrators; the user would be logged out, but could not then log in again from the resulting page.
  • Fixed a bug in the v6-to-v7 configuration converter, where log fields with type "server response" were not converted properly, resulting in an error on Config.
  • Fixed a bug in Syslog (yyyymmdd hhmmss) Log Format, which could cause lines of log data not to be recognized by the device parsing plug-in (this was verified with iMail 7, but could happen with other formats too).
  • Fixed a bug in Trial Login where it was not possible to change between the Enterprise and Professional feature set.

New features in 7.1.14:

  • Added a -db command line option to to a date breakdown, e.g. to generate a report of months in a single year.
  • Improved performance of "main table" based reports using the internal database, by keeping indices on disk instead of reading them into memory.
  • Added output format directive duration_hmmss, for displaying duration information in H:M:S format. rather than with year and days shown.
  • Added a new generate_pdf_friendly option for generating HTML export output which converts well to PDF format using Adobe Acrobat. Without this option, the HTML export displays well in the browser, and uses JavaScript and other browser features, but these extra features do not play well with Acrobat. With this option, it does not look as good in a web browser, but works very well for PDF.
  • Modified the report style sheets to achieve better results in emailed reports, when generating PDF friendly files or when printing a report.
  • Improved Snare support to support literal tab characters, in addition to the <009> variant (which is what the old plug-in supported).
  • Added a -zv option which specifies the "zoom value" for command-line and Scheduler exports, i.e. the item we're zoomed into. This is needed in cases like showing data by region for a particular country in the Countries/Regions/Cities report.
  • Improved autodetection to report an error if there is no data in the specified log source (rather than just reporting that no format matched).

Version 7.1.13, shipped July 29, 2005

Bugs fixed in version 7.1.13:

  • Corrected extraction of missing data in fields the CISCO Voice Router plug-in.
  • Corrected missing 'host' type field which caused the Domain Description report to report an error, and fail to generate for Urlscan log format plug-in.
  • Corrected missing extration of "TO:" and "FROM:" in the CommunigatePro log format plug-in.
  • Fixed a bug where progress reports would fail with a "can't find node step in volatile.progress" error, after the task has been running for more than an hour.
  • Fixed a bug where session event times were all 00:00:00 when using MySQL on Windows.
  • Fixed a bug where progress reporting could "stick" or fail in the web interface, with an error about "step" or "STEP" not being found.
  • Fixed a bug where pages in a session after the first page were omitted when remove_reloads was true and there was no session page field.
  • Fixed an issue which occured when using an FTP log source to download a single file from a server which did not allow directory listing. Sawmill would fail when the directory listing failed, but it didn't really need the listing if there was just one file; it now allows this failure and downloads the file anyway.
  • Fixed a bug with Proxy Pro Gate Keeper log format which would cause an error about "default not found".
  • Fixed a bug where if a generic W3C log had a c_ip field (rather than a cs_ip field), it would not track session information properly.
  • Fixed bug which could cause an "superitem is 1, and subitem is 1" errro when building or updating a MySQL database.
  • Fixed bug which could an error when using an FTP log source with a local (non-absolute) directory, e.g. "logs/*". In this case, it would attempt to change to the "logs" directory before each file, which would fail after the first one, because there is local "logs" directory when it's already in logs. It now does the directory change only once, at the beginning of the session.
  • Fixed bug where database build could fail if both build_indice _in_threads and build_indices_during_log_processing were true for a multiprocessor build.

Version 7.1.12, shipped July 13, 2005

Bugs fixed in version 7.1.12:

  • Fixed a bug where session reports were wrong if there was no "page" field in the log data (very uncommon).
  • Fixed a bug which caused an error when processing Windows Media log files without a referrer field.
  • Fixed a bug where subprocesses would not exit in some cases when clicking Cancel during a multiprocessor build.
  • Fixed a bug where charset conversion did not work on Windows (only a problem in 7.1.11), failing with an error "iconv() not available."
  • Fixed bug where database updates with MySQL did not rebuild the cross-reference tables, resulting in out-of-data information in some reports.
  • Fixed a bug which could cause incorrect results when performing a MySQL query with multiple filters on the same field.
  • Fixed a bug which could cause incorrect results when performing a negated ("NOT") MySQL query.
  • Worked around a problem with MySQL and trailing whitespace, by automatically removing trailing whitespace from field values. The problem could cause hangs during builds if a field value was a single space, and incorrect reporting of values with trailing whitespace.
  • Fixed bug where "remove database data" operations with MySQL did not rebuild the cross-reference tables, resulting in out-of-data information in some reports.

Version 7.1.11, shipped July 07, 2005

Bugs fixed in version 7.1.11:

  • Fixed a bug where action emails would fail with a bug "can't find node network in command_line".
  • Fixed Bug where MySQL failed to update data base when sql protected keywords in among the log fields
  • Fixed a bug where invisible columns in multi-column tables were not properly omitted.
  • Fixed a bug which could cause an empty table when using a date range filter together with a "year" zoom (and other similar situations involving simultaneous filtering on lower-level items like days or files, and higher-level items like years or directories).
  • Fixed a bug where the Log Filter editor window did not close properly after clicking Save and Close, when using Safari.
  • Fixed a bug where if a profile was using the "internal" database, and was switched to a MySQL database, it could cause an error when displaying the Build Database page.
  • Fixed bug where multithreaded builds in MySQL failed to create hierarchy tables
  • Fixed a performance issue which made index builds several times slower than they should have been, especially on Windows.
  • Fixed a bug which could cause an "unknown variable v.syslog_message" error when processes corrupt syslog data.
  • Fixed a memory leak which could cause large MySQL database builds to use arbitrary amounts of RAM (roughly 50MB to 100MB for each million lines of data processed).
  • Fixed a bug where one user canceled the report generation of another user when two or more users accessed the same profile.
  • Fixed a bug which could cause incorrect durations to be listed in the Session Pages and Session Users reports, when using the "internal" database.
  • Fixed a problem with processing some variants of Netscreen log data.

New features in 7.1.11:

  • Added "page header" and "page footer" options (including the file variants) to the web interface in Config->Manage Reports->General Display/Output.

Version 7.1.10, shipped June 17, 2005

Bugs fixed in version 7.1.10:

  • Fixed a bug which caused an empty table when zooming or filtering on a bottom-level item for a particular field, while viewing the report for that field, with a MySQL database.
  • Fixed a bug which could cause items to be omitted from tables when using MySQL, if the item existed in the log data in both uppercase and lowercase variants.
  • Fixed bug in Mysql where nonexistent filter gave an error now it gives zero result.

Version 7.1.9, shipped June 10, 2005

Bugs fixed in version 7.1.9:

  • Fixed a bug which could cause zero results when using a regexp report filter containing backslashes or certain other special characters, with a MySQL database.
  • Fixed a bug which could cause zero results when using a regexp report filter containing backslashes or certain other special characters, with a MySQL database.

Version 7.1.8, shipped June 10, 2005

Bugs fixed in version 7.1.8:

  • Fixed a bug where the Overview could show 0's when using a MySQL database and regular expression report filters.
  • Fixed bug which could cause an error when generating the log detail report with regular expression report filters with a MySQL database.
  • Fixed bug where zooming on a day, or using a date range, would result in an empty Years/Months/Days report.
  • Fixed bug which could cause a crash when viewing session reports, if there was no session page field in the database.
  • Fixed a bug which could cause very high memory usage with some log formats, including "Interscan Messaging Security Suite Log Format".
  • Fixed the page_header_file and page_footer_file options, which were not working at all.
  • Fixed a bug which could cause a "permission denied" error when viewing reports on Windows, if someone else was viewing the same report at the same time.
  • Fixed a bug which could cause extreme memory usage when generating reports with many report elements.
  • Fixed bug which could cause errors when two users viewed reports for the same profile simultaneously.
  • Fixed a bug which could cause an error when using a username containing a dollar sign.
  • Fixed bug which would cause an error when autodetecting the format of a command log source.
  • Fixed bug where when server_root was specified, and page field values were URLs, arrow links were broken.
  • Fixed a bug which could cause an error when zooming on table values containing $'s, when using a MySQL database.
  • Fixed a bug which could cause incorrect results when using a date range with a MySQL database on Solaris, MacOS 10.2, or FreeBSD.
  • Fixed a bug where repeated progress steps would all show up as "(1)" in the progress display.
  • Fixed a bug in reports editor where there sort list of report elements did not get updated when report elements have been deleted.

New features in 7.1.8:

  • Fixed/improved IMail 7 Log Format to handle a wider range of formats, and to be faster and more robust.
  • Added support for Imail Header log format.

Version 7.1.7, shipped June 03, 2005

Bugs fixed in version 7.1.7:

  • Fixed a bug which would cause an error when building a MYSQL database if a field value contained a single quote.
  • Fixed a bug with progress in session reports, which could cause reports to not appear on the first click.
  • Fixed bug where multiprocessor builds could result in an error about "Unknown progress step merging_items__part_1".
  • Fixed a bug where the session paths report would fail with an error about internal.expand_paths .
  • Fixed a bug where adding a reports menu group without any sub menus caused an error in the reports editor view and reports display.
  • Fixed a bug where adding a reports menu group without any sub menus caused an error in the reports editor view and reports display.
  • Fixed a bug which occurred during database builds or updates of a MySQL database, if one of the field values contained an apostrophe.

New features in 7.1.7:

  • Added support for hostname:port format when entering the hostname of the MySQL database server, to use a non-default port.
  • Fixed/improved the Symantec Gateway Security plug-in so it works with two different variant formats.

Version 7.1.6, shipped June 02, 2005

Bugs fixed in version 7.1.6:

  • Fixed a security vulnerability where a remote attacker with a non-administrative privileges could gain administrative access.
  • Fixed a security vulnerability where a remote attacker with no user privileges could add a license.
  • Fixed a security vulnerability where a user with administrative privileges could execute a cross-scripting attack by entering a specially formed username in the Add User window.
  • Fixed a security vulnerability where a user with administrative privileges could execute a cross-scripting attack by entering a specially formed license key in the Licensing page.
  • Fixed a bug where double quotes were not properly escaped in the "extra options" field in scheduled tasks, when running on Windows.
  • Fixed a bug where double quotes were not properly escaped in the "extra options" field in scheduled tasks, when running on Windows.
  • Fixed a bug in NetScreen Log Format where it did not handle the escaped quotes which appear in some variants.
  • Fixed a bug in Merak SMTP Log Format, and improved parsing performance.
  • Fixed a bug which could cause an error when upgrading from 7.0 to 7.1 if a username contained capital letters.
  • Fixed a bug which could cause an error about deleting a file in user_info, when upgrading from 7.0 to 7.1.
  • Fixed support for numerical months in the date field, in Symantec Gateway Security log format.
  • Fixed a bug where sort changes did not stick from session to session.
  • Fixed a bug where create_many_profiles would not apply changes properly for group nodes with more than one subnode.
  • Fixed bug where -a pv on the command line did not honor the -f option.
  • Fixed a bug in the "seconds since 1970" syslog header plugin, which would cause a "can't process regular expression" error. Since this header is used by most Squid logs, this caused an error for most Squid plug-ins.
  • Fixed a bug which caused excessive memory usage when building large database with a MySQL database.
  • Fixed a bug which could cause a progress sequence error when using a report element without a table, followed by report element with a table.
  • Fixed a bug where the "last modified" time for a database was reported in the GMT time zone.
  • Fixed a bug in the "PIX Firewall Syslog Server (no year) (EMBLEM)" syslog header plugin, which would cause a "can't process regular expression" error.
  • Fixed a bug where zooming on items containing backslashes would cause an error when using a MySQL database.
  • Fixed a bug where the Zoom menu in reports showed reports which had been disabled in the Report Menu Editor.
  • Fixed a bug where if there was no session page field, even session reports which did not require the page field would generate an error.
  • Fixed a bug where the expand_paths_greater_than option did not work.
  • Fixed a performance issue which could cause reports to be very slow when using complex filters, and when no cross-reference table was available to provide the data.
  • Fixed a performance issue with the Overview (and possible other reports) when using complex filters.

New features in 7.1.6:

  • Changed the default session timeout to 30 minutes (from 1 hour) to bring the default numbers more in line with industry standards.
  • Fixed a bug which could cause an error about "unknown column 'true'" when using older versions of MySQL.

Version 7.1.5, shipped June 02, 2005

Bugs fixed in version 7.1.5:

Version 7.1.4, shipped May 10, 2005

Bugs fixed in version 7.1.4:

  • Fixed a bug where a multiprocessor database update could re-add data which had already been processed.
  • Updated German language modules (earlier versions of the modules were accidentally included in the previous releases of 7.1).
  • Fixed a bug where table sorting did not work properly in reports which had graphs (the graph's own sort would apply to the table too).

New features in 7.1.4:

  • Added support for a command line option (-a c70d) to convert MySQL databases from version 7.0 format to version 7.1 format.

Version 7.1.3, shipped May 07, 2005

Bugs fixed in version 7.1.3:

  • Fixed a bug which caused problems when using MySQL 4.0 servers; clicking reports (including Days) would generate an error "Unknown column 'true' in 'where clause'".
  • Fixed a bug in LogSat SpamFilter ISP log format, where it would not extract all data from lines with empty From values.
  • Fixed a bug where opening the calendar or date range picker of a report without any date/time values resulted in an error. In such a case the calendar and date range picker buttons are now disabled.
  • Modified the global filter so that filter fields become automatically checked when adding new filter items.
  • Fixed a bug where clicking Show Matching Files would crash if there were no log sources.
  • Fixed a bug where averages were shown incorrectly when zoomed on a day in the Overview (they showed average as though there were no date zoom).

Version 7.1.2, shipped May 02, 2005

Bugs fixed in version 7.1.2:

  • Fixed a display problem with tick marks on chronological graphs when displaying days.
  • Fixed a problem which could cause an error when upgrading a 7.0 installation on Windows to 7.1; it could result in an error about an unknown variable "prompt_for_trial_tier" (or in some cases, some other variable).
  • Fixed bug where using a "regexp" or "matches" in a Report Filter with a MySQL database would cause an error.

Version 7.1.1b, shipped May 01, 2005

Bugs fixed in version 7.1.1b:

  • Fixed a bug in the Report Editor where the "only bottom-level items" option was lost when a report was saved.

Version 7.1.1, shipped May 01, 2005

Bugs fixed in version 7.1.1:

  • Fixed a problem with the LogSat SpamFilter ISP log format plug-in which caused an error ("Unterminated quote in LogAnalysisInfo\log_formats\logsat_spam_filter_isp.cfg) when a profile was created.

Version 7.1, shipped May 01, 2005

Bugs fixed in version 7.1:

  • Fixed a bug where session filters on the Overview could generate a progress prediction error.
  • Fixed a bug where generating all reports from the Scheduler would sometimes give an error.
  • Added cleanup of the SessionChanges directory, which contains temporary files which were never deleted.
  • Fixed a bug in Wall Watcher format which would result in an error about the date_time field when viewing reports.
  • Fixed a bug where zooming on Individual Sessions caused a progress prediction error.
  • Fixed a bug where parenthesized items were always omitted when using MySQL, even if "omit parenthesized items" was turned off.
  • Fixed bug where the command-line authentication script was passed an MD5 checksum of the password, rather than the password itself. This caused authentication to fail in most cases when a command-line authentication script was used.
  • Fixed bug in the v6-to-v7 configuration converter where the final filter was not converted properly if the configuration did not track hits.
  • Fixed bug where Netscreen format did not understand zone containing non-alphabetical characters in their name.
  • Fixed a bug where using a command log source could result in hung processes when scanning for matching files.
  • Fixed Helix (type 5) format to handle empty page field values properly, and to track the file_time field properly.
  • Fixed a bug where browsing directories containing $ would cause an error, saying that the directory did not exist.
  • Fixed a bug where the Sessions group would sometimes appear in the reports menu, even when session information was not available.
  • Fixed a bug which could cause "Can't open file logdata.log" errors during multiprocessor builds on Windows.
  • Fixed a bug where '-f lastmonth' did not work properly on the command line.
  • Fixed a bug which could cause an error when accessing the administrative interface while a database was building.
  • Fixed a bug in the v6-to-v7 configuration converter, where conversion would fail if a report name or field name contained an apostrophe.
  • Fixed a bug in the Kerio Network Monitor HTTP log format plug-in which caused rejected lines due to improper processing of the date format.
  • Fixed improper error code extraction in Cisco Pix/IOS log format plug-in.
  • Fixed a build bug which caused crashes in binaries built from encrypted source on IA64 platforms.
  • Fixed a bug where entries added by a database update were sometimes not added to the date/time index properly, resulting in empty reports when zooming deeply into particular days, or when viewing session information for recent days.
  • Fixed bug which could cause crashes when using GeoIP on SPARC hardware.
  • Fixed a bug where the date/time index would not be built properly if "build indices during log processing" was turned on, resulting in events from 1970.
  • Fixed bug where scheduled report generation would not work on Windows if the pathname ended with a backslash.
  • Fixed a bug which could cause mis-sorting of date/time values with granularity higher than day.
  • Fixed bug where on SPARC platforms, certain layouts of cross-reference tables could result in a crash while generating reports.
  • Fixed bug in generating Log Detail with MySQL when zoom filter was active.
  • Fixed bug which could cause crashes when generating tables where the xref table contained some numerical fields not found in the report table.
  • Fixed bug with MySQL databases where zooming on port 53 would show all ports starting with 53.
  • Worked around a bug which occurred only on MacOS (apparently a bug in MacOS itself) which caused database corruption under low memory conditions, resulting in an "itemnums" error.
  • Fixed bug which would cause an error when two profiles shared the same database.
  • Fixed a bug in the handling of dates in the mmm-dd-yy format.
  • Fixed a bug where zoom did not work on hierarchical fields if another zoom was active on another field.
  • Improved PIX/IOS log format to extract duration information in a few cases where it didn't.
  • Fixed bug which could cause runaway memory usage while processing log formats which used collect_listed_fields_using_regexp.
  • Fixed a bug where recentdays:N did not work as a filter.
  • Fixed a progress sequence error which occurred when zooming to Log Detail with a session filter active.
  • Fixed a bug which could result in hanging processes, if a report generation after it had completed; the cancellation process would wait indefinitely for the process to complete. Now, it times out after 10 seconds.
  • Fixed a bug which could result in hanging processes, if a report generation after it had completed; the cancellation process would wait indefinitely for the process to complete. Now, it times out after 10 seconds.
  • Fixed a bug which could result in hanging processes, if a link was clicked repeatedly and rapidly.
  • Fixed bug where remove_database_data did not work properly with MySQL databases.
  • Fixed bug in v6-to-v7 translator which caused an error when translating profiles containing add_suffix_to_field or add_prefix_to_field log filters.
  • Fixed session tracking in ISA W3C log format.
  • Fixed a problem with Netegrity Siteminder Access Log Format, where it did not handle GMT times properly.
  • Fixed a bug where command-line authentication scripts like ldapauth.pl did not work.
  • Fixed a bug in the Cisco VPN Concentrator log format plug-in which was improperly extracting duration.
  • Fixed a bug which could cause autodetection to fail if a filename contained a plus (+).
  • Fixed bug where if there was both an Overview and a Sessions Overview report element in a single report, it would generate a progress prediction error.
  • Fixed a bug where the number of session users was shown incorrectly in the Session Users table, when using the internal database.
  • Fixed a bug which would cause an error if $ characters were used in pathnames; improved escaping of $ in several other places.
  • Fixed a "!eq" bug in log filters and reversed the action "copy from to".
  • Fixed a bug where "less than or equal" and "greater than or equal" in log filters would generate errors when displayed in the web interface.
  • Fixed a bug where the profiles and logout button were shown when generating static files.
  • Fixed a bug in table options where a missing node error occurred when editing session pages.
  • Fixed a bug on zoom where a user database field resulted in conflicts with a user session field.
  • Fixed a bug in CSV export, where delimiter and quotes did not get properly escaped.
  • Fixed a bug in admin users editor view; user assigned profile names appeared as node names instead of profile labels
  • Fixed a bug in the licensing page where it indicated 0 profiles instead of unlimited profiles
  • Fixed a bug in the licensing page where Sawmill version 6.4 or 6.5 licenses were not properly indicated.
  • Fixed a Safari web browser specific bug in log filter comments where the character "u" converted to __HexEsc__A.
  • Fixed a bug in the overview report where unique fields where shown in the average column, unique fields are now omitted.
  • Fixed a bug in the date range picker where the last day in the date range was not counted because the time was set to 00:00:00 instead of 23:59:59.

New features in 7.1:

  • Added a report editor, for editing the reports in a profile.
  • Added a reports menu editor, for editing the list of reports which appear down the left of the Reports section of a profile.
  • Improved performance and stability of MySQL support. This is a major update to the MySQL engine, which changes internal table structures and queries fundamentally to improve performance and reliability. Performance improvements are dramatic in many cases; the query is tens or hundreds of times faster for many reports, and for building cross-reference tables. This brings MySQL query performance nearly in line with the performance of the "internal" database, eliminating all known major performance discrepancies between the two databases types.
  • Added a general display/output editor for editing display and output options for a profile.
  • Added graphs display editor, for editing graphing options in a profile.
  • Improved NetScreen log format to track a "total bytes" field.
  • Added support for MDaemon 7 (All) Log Format.
  • Added support for Kaspersky Labs for Mail Servers (linux) Log Format.
  • Enhanced Symantec Gateway Security log format to track my more fields.
  • Enhanced Postfix log format to allow for user-specified values instead of 'postfix/' in the log data.
  • Enhanced Netscreen format to increase log processing speed (disabled default tracking of full messages).
  • Improved EIMS format to handle a slight variant.
  • Added support for FileZilla Server Log Format.
  • Added support for Cisco 3750 Log Format.
  • Enhanced Netscreen Traffic log format to extract and report on bandwidth information when available.
  • Added support for Windows 2003 DNS Log Format.
  • Added support for Web Washer Log Format.
  • Split Critical Path log format into SMTP and POP/IMAP variants.
  • Added support for NEMX PowerTools for Exchange log format.
  • Added support for Nokia IP350/Checkpoint NG (fw log export) Log Format.
  • Added support for MailStripper log format.
  • Added support for Borderware runstats log format.
  • Improved support for profile labels (rather than the internal profile names) as -p parameters -- this used to work for database builds and updates, but should now work in all cases where -p is accepted.
  • Added support for Cisco Secure Server (RAS Access) Log Format.
  • Improved file type detector to handle URLs without paths. For instance, http://www.flowerfire.com would have been reported as file type COM by earlier versions, due to its .com extension -- now, it is reported more accurately as "(no file type)".
  • Improved Webtrends format to track all numerical fields.
  • Added support for Microsoft Port Reporter Log Format.
  • Added support for GNAT Box Syslogger (v1.3) Syslog Log Format.
  • Enhanced GnatBox format to track inbound and outbound bandwidth, and durations, and unique IPs.
  • Fixed a bug where line endings of profile .cfg files were CR-CR-LF on Windows, rather than the correct CR-LF.
  • Added support for Bulletproof/G6 FTP Log Format (yyyy/mm/dd dates).
  • Added support for Coradiant Object Log Format v2.0.
  • Added support for SMTP (24 hour) Log Format.
  • Added support for charset conversion of CSV export.
  • Added support for charset conversion of log data.
  • Added support for Mailman Subscribe Log Format.
  • Added support for Symantec Mail Security Log Format.
  • Improved Interscan Security Suite log format to handle a different virus log line format.
  • Added support for qmail-scanner log format.
  • Enhanced support for Generic W3C format to support most of the features of IIS W3C.
  • Enhanced NetCache NetApp 5.5 Log Format to support session tracking.
  • Improved Cisco VPN Concentrator format to track durations over 1 day, and to strip off brackets around usernames.
  • Improved allow_empty_log_source option to allow local log sources which point to a non-existent directory to be considered as empty log sources.
  • Improved Exchange 2000 CVS format to track error messages.
  • Improved Interscan Viruswall support to handle a slight variant, track more fields, group reports, and improve performance.
  • Improved Snort 2 log format to extract rule descriptions.
  • Improved GNAT Box Log Format (Syslog Required) log format to support a slight variant.
  • Added support for SmoothWall SmoothGuardian 3.1 Log Format.
  • Added support for Cisco NetFlow (FlowTools ASCII Export) log format.
  • Added a new log filter to the Cisco PIX/IOS log format plug-in that now translates destination port and protocol into a service name for better read-ability.
  • Added support for Windows XP Event Log (Microsoft LogParser CSV Export) log format.
  • Added support for Easy Syslog Server log format.
  • Added support for Groupwise Post Office Agent log format.
  • Enhanced Webtrends Extended Log Format to extract date/time information from the time= field; this is particular useful when using Unix Syslog, which does not include year information, because the time= field includes the year.
  • Added support for Web Logic 8.1 Log Format.
  • Improved support for NetApp Filers Audit Log Format to handle the "on" variant.
  • Added support for WebSphere Business Integration Message Brokers User Trace Log Format.
  • Enhanced Anti-Spam SMTP Proxy (ASSP) Log Format to handle a slight variant.
  • Enhanced Cisco 3750 log format to extract information from Interface Changed State lines.
  • Added a new option (statistics.miscellaneous.filter.expression) which applies a specified report filter to all reports. The filter is not displayed and cannot be removed, so it can be used to segregate a single database into several sub-profiles.
  • Enhanced iptables format to extract arbitrary rule names.
  • Added support for Watchguard Historical Reports Export Log Format.
  • Enhanced ntsyslog format to extract more information, and to be faster.
  • Improved Generic W3C log format to track sessions properly if the cs_ip is used for source IP and cs_uri is used for URL (instead of c_ip and cs_uri_stem).
  • Added support for Cisco CE Log Format.
  • Added support for IronPort Bounced Log Format.
  • Added a User's Manual, a non-technical guide to reports.
  • Improved graphing in several ways, most significantly to embed graph labels in the HTML, so they can be antialiased by the browser, and internationalized easily for non-English character sets.
  • Added detection of Sidewinder Raw Log Format. Sawmill cannot process this log format because it is a binary format, but it now generates a useful error message about that, describing how to export it to SEF format, which Sawmill does support.
  • Added detection of Nortel Networks RouterARN Format. Sawmill cannot process this log format because it is a binary format, but it now generates a useful error message about that, describing how to convert it to a format which Sawmill does support.
  • Added detection of Windows Event .evt Log Format. Sawmill cannot process this log format directly because it is a binary format, but it now generates a useful error message about that, describing how to convert it to a format which Sawmill does support.
  • Added detection of SecureIIS Binary Log Format. Sawmill cannot process this log format directly because it is a binary format, but it now generates a useful error message about that, describing how to convert it to a format which Sawmill does support.
  • Improved URL parsing to handle URLs with no pathname; e.g. http://mysite.com .
  • Added a new command line action (-a ui) to update an existing installation to the latest version by downloading it from sawmill.net.
  • Added support for Useful Utilities EZproxy log format.
  • Added support for Windows NT Scheduler Log Format.
  • Added support for SecureIIS (LogExporter.exe) Log Format.
  • Added support for Click To Meet Log Format.
  • Added detection of NetFlow Binary (DAT) Log Format. Sawmill cannot process this log format directly because it is a binary format, but it now generates a useful error message about that, describing how to convert it to a format which Sawmill does support.
  • Improved Radius Accounting Log Format reporting to autodetect some cases which were not detected, to track all fields, and to track all numerical fields.
  • Improved NetCache NetApp log format to handle many more fields.
  • Added support for NetScreen Traffic Log Format (get log traffic).
  • Added detection of Clavister Firewall Binary Log Format. Sawmill cannot process this log format directly because it is a binary format, but it now generates a useful error message about that, describing how to convert it to a format which Sawmill does support.
  • Enhanced Cisco PIX/IOS log format to handle FW-6 lines.
  • Added detection of Ethereal Binary Log Format. Sawmill cannot process this log format directly because it is a binary format, but it now generates a useful error message about that, describing how to convert it to a format which Sawmill does support.
  • Improved support for Symantec Antivirus Corporate Edition, to include reporting of date/time information.
  • Added support for Web Seal CDAS Log Format.
  • Improved Fortigate format to track the msg field.
  • Optimized performance of log parsing filters in LogSat SpamFilter ISP plug-in.
  • Improved Helix Universal to handle lines where Stat2 and Stat3 both exist.
  • Improved database rebuild process for MySQL databases so it drops all known tables from the database, rather than dropping the database itself, when it rebuilds. This makes it possible to use an existing database, perhaps with information in it not related to Sawmill, as the Sawmill database, without losing the rest of the data when Sawmill rebuilds the database. (Nevertheless, we recommend using a separate database for Sawmill).
  • Added a default xref group for search engines by search phrases, for better performance of the "search engines by search phrases" report.
  • Added a database field for duration and start time to the NetScreen Log Format plug-in.
  • Enabled match wildcard expression in log filters.
  • Changed to using internal names rather than numbers for user nodes, for easier command-line and URL references to users.
  • Improved the Scheduler so schedules are automatically deleted when the profiles they refer to are deleted.
  • Increased the limit on the number of numerical fields in the New Profile wizard, to 200.
  • Added a preference to show/hide the Professional/Enterprise switch during trials.
  • Added support for automatically_update_when_older_than in report startup.
  • Reworked progress reporting to report progress in several additional cases, and to improve reliability of progress reporting.
  • Added support to hide the cancel task button on progress pages for non-administrative users.
  • Added a Refresh button on the progress page.
  • Added support to for progress reporting of database builds and database updates which occur at any time while viewing statistic reports.
  • Added support for a hard-coded global filter (statistics.miscellaneous.filter.expression) which applies to all reports. This is similar to the "apparent statistics root" option of Sawmill 6 (but has none of the restrictions of "apparent root"; any filter is permitted).
  • Improved the graphs appearance and added new graphs display options.
  • Added support to display report element header bars, which are now displayed by default in Single Page Summary reports when a new profile is created.

Version 7.0.10k, shipped March 25, 2005

Bugs fixed in version 7.0.10k:

  • Fixed a bug where the Log Detail report could cause an error when using a MySQL database.

Version 7.0.10j, shipped March 24, 2005

Bugs fixed in version 7.0.10j:

  • Fixed a bug where the hour of day table in the single page summary had maximum 10 rows, instead of 24.
  • Fixed a bug where the date/time index would not be built properly if "build indices during log processing" was turned on, resulting in events from 1970.
  • Fixed bug which could cause crashes when generating tables where the xref table contained some numerical fields not found in the report table.
  • Fixed a bug with MySQL databases where zooming on an item in a non-hierarchical field would select all items which started with that item; e.g. zooming on port=34 would show all ports starting with 34.
  • Fixed a bug which could cause an error when generating the Log Detail report with a MySQL database.
  • Fixed a problem which caused very slow results when generating the Log Detail report with a MySQL database.
  • Fixed a bug where profile .cfg files written on Windows had odd file endings, and editing them with Notepad would corrupt them.
  • Fixed a bug where if an error occurred during log processing from the web interface, it would not display the actual error, but would instead display an error about an unterminated quote.
  • Fixed a bug where the database directory was not reported properly in the Profile Summary page.
  • Fixed a bug which could cause an error with certain combinations filters and tables, when using a MySQL database.

New features in 7.0.10j:

  • Lifted MySQL licensing restriction--Sawmill now works with GPL (free) MySQL databases.

Version 7.0.10i, shipped March 03, 2005

Bugs fixed in version 7.0.10i:

  • Fixed a bug where xref builds would fail if there were more than about 40 fields in a single xref group.
  • Fixed a bug where viewing session reports in a PIX profile caused an error.
  • Fixed a bug where errors were rendered incorrectly when error messages contained double quotes.
  • Fixed a bug which would cause an error on database build if there was no cs-uri-stem field in IIS logs.
  • Fixed a bug which could cause an error about 'log_leve' when editing the Config for a Unix Syslog profile.
  • Fixed a bug in Bulletproof FTP log format which would result in an unterminated quote error.
  • Fixed improper error code extraction in Cisco Pix/IOS log format plug-in.
  • Fixed a bug where entries added by a database update were sometimes not added to the date/time index properly, resulting in empty reports when zooming deeply into particular days, or when viewing session information for recent days.

Version 7.0.10h, shipped February 05, 2005

Bugs fixed in version 7.0.10h:

  • Fixed a bug where if a filter set the page field to empty, the paths report would generate an error.
  • Fixed a bug in the Log Filters Editor, where the "less than or equal to" and "greater than or equal to" operators did not work properly.
  • Fixed a bug which caused an error when zooming in on certain reports containing "unique" fields (e.g. visitors) in a MySQL database.
  • Fixed a bug where zooming did not work properly with MySQL when there were unusual characters (like @ signs) in the zoom item value.
  • Fixed a bug where commas were not properly escaped in CSV export.

Version 7.0.10g, shipped February 02, 2005

Bugs fixed in version 7.0.10g:

  • Fixed a bug where time of day was not reported properly for logs with EPOC timestamps and fractional seconds (like Squid).
  • Fixed a bug which could use huge amounts of memory during a database update, when skipping huge numbers of log files without finding any new log data.

New features in 7.0.10g:

  • Added a new update.pl script (written in perl, and requiring a UNIX-type environment to run) in the Extras folder which updates a new LogAnalysisInfo folder from the settings/profiles/databases from an existing LogAnalysisInfo folder, for easier upgrades from earlier versions.

Version 7.0.10f, shipped January 26, 2005

Bugs fixed in version 7.0.10f:

  • Fixed a bug where Sawmill.app did not start the server properly on MacOS.

Version 7.0.10e, shipped January 25, 2005

Bugs fixed in version 7.0.10e:

  • Fixed a bug where Table Options did not work for session tables.
  • Fixed a bug where 0's in profile names were converted internally to hexadecimal ASCII.
  • Fixed a bug where zooming on a value in a "user" database field would show 0 events.
  • Fixed a bug where running Sawmill.exe on Windows (the "Use Sawmill" window) would result in SawmillCL.exe restarting repeatedly.
  • Fixed a bug with Symantec Gateway Security where the numerical field names could not be globally filtered.
  • Fixed a bug where the "not equal" operator did not work in the Log Filter Editor.

New features in 7.0.10e:

  • Added Czech internationalization module (reports only).

Version 7.0.10d, shipped January 21, 2005

Bugs fixed in version 7.0.10d:

  • Fixed a bug where use of complex filters would result in an "Unable to display page" error.

Version 7.0.10c, shipped January 20, 2005

Bugs fixed in version 7.0.10c:

  • Fixed a bug where profile creation would fail if the profile label contained uppercase letters.
  • Fixed the SL4_NT log format plug-in; removed an incorrect reference to "PIX" in a regexp.
  • Fixed a bug with the processing of EPOC times with fractional seconds (e.g. Squid format).

Version 7.0.10b, shipped January 20, 2005

Bugs fixed in version 7.0.10b:

  • Fixed a bug where profile creation would fail if the profile label contained uppercase letters.
  • Fixed the SL4_NT log format plug-in; removed an incorrect reference to "PIX" in a regexp.
  • Fixed a bug where EPOC format times with fractional seconds were not handled properly.

Version 7.0.10a, shipped January 20, 2005

Bugs fixed in version 7.0.10a:

  • Fixed a bug which would cause the server to exit after 1 hour.

Version 7.0.10, shipped January 18, 2005

Bugs fixed in version 7.0.10:

  • Fixed a bug in Common Access Log Format with full URLs, which would cause an error message about a missing "worm" field, when log data was processed.
  • Fixed a compilation bug which caused an error when building from source with the latest g++.
  • Fixed a bug in displaying multiple nonnumerical columns in reports from mysql
  • Fixed bug where errors during command-line report generation were not reported.
  • Fixed bug in mysql extract of date time reports
  • Fixed bug where using session filters could sometimes cause an error about 'report_element_number'.
  • Fixed a bug which would cause an error when build a database from the command line with "-v p" debugging output, if a field value contained a dollar sign.
  • Fixed a bug which could cause incorrect numerical results in reports when using a MySQL database, if field values were more than 150 characters long.
  • Fixed bug in v6-to-v7 profile converter where if an option contained a \, the conversion would be incorrect or would fail.
  • Fixed bug where showing matching files for directory containing a $ caused an error.
  • Fixed a bug where log entries were not properly accepted when their collected_entry_lifespan ran out.
  • Fixed a bug where the "paths through a page" report could crash if the page field was not called "page".
  • Fixed a bug which caused database updates and merges to use more memory than they needed to.
  • Fixed a bug where multiprocessor database updates using the internal database would fail with a progress error.
  • Fixed a bug where the main progress bar percentage was wrong when using multiple log sources.
  • Fixed bug where profiles whose names started with an underscore were omitted from the list.
  • Fixed a bug in the v6-to-v7 configuration converter which did not convert session tracking fields properly.
  • Fixed a bug in the v6-to-v7 configuration converter which did not convert date_graph report elements properly.
  • Fixed a bug in progress prediction which caused an error when displaying multi-table reports containing non-session report elements followed by session report elements.
  • Fixed a bug where the license manager allowed the creation of one too many profiles (e.g. six profiles could be used with five-profile licensing).
  • Fixed bug where when multiple fields were zoomed simultaneously, the display could format some of them incorrectly in some cases
  • Fixed a bug which would cause an error if the "extra options" field in the Scheduler contained more than one type of quotes.
  • Fixed several problems with Apache Custom format string handling, including a problem where %v was not handled correctly.
  • Fixed a bug where new profiles would not be seen by the Scheduler; the Scheduler was caching the profiles list, and changes to that list (deletions or additions of profiles) would not be noticed by the Scheduler until the process was restarted.
  • Fixed bug in Free Radius format which prevented the session_time and delay_time fields from being tracked.
  • Fixed a bug where the Date/Time info did not show up in reports when generated from the command line or via Scheduler.
  • Fixed bug where it was not possible to zoom to a "user" when a "user" database field existed.
  • Fixed a bug where values such as /{default} did not get converted as specified in the display_format_type.
  • Fixed a bug where a log source error, i.e. invalid FTP user name, would cause a javascript error.
  • Fixed a bug in the Single-page summary where changing the row numbers or table options of a report element did not have any effect.
  • Fixed a bug where Progress display hangs up in the IE web browser when showing a large number of steps.
  • Fixed a bug where parenthesized items were not properly omitted in reports generated from a MySQL database.
  • Fixed a bug which could cause a MySQL syntax error message when displaying a table with multiple non-numerical columns.
  • Fixed a bug which could cause a MySQL syntax error message when zooming into a hierarchy.
  • Worked around a bug (possible a bug in MacOS) where under low memory conditions on MacOS, the database could become corrupted, resulting in an internal error in itemnums.cpp.
  • Added German internationalization to the standard distribution.

New features in 7.0.10:

  • Fixed/improved Cisco PIX format to parse lines with duration fields.
  • Added support for bpft4 log format without interface.
  • Enhanced Unix Sendmail in several ways: 1) added tracking of additional numerical fields, including delay, xdelay, and number of recipients, 2) added support for processing of sendmail logs with any syslog server, 3) changed senders field to hierarchical.
  • Enhanced Unix Syslog to report empty logging devices when that field is missing, and to support loglevel information at the beginning of the line.
  • Added recognition of the .name domains extensions.
  • Improved IIS SMTP log format to autodetect a slightly variant, and to track emails properly even if there is a space after RCPT TO: or MAIL FROM: in the SMTP message.
  • Improved Exim 4 log format to extract "from" and "to" information from every entry, even if the entry is an unrecognized format.
  • Added a Search button to the documentation.
  • Added support for Kiwi (yyyy-mm-dd dates) log format.
  • Improved NetApp55 format to track full client IPs by default.
  • Improved 'within' expressions in command-line filters, to support complex expressions, e.g. 'page within "con" . "catenation"'.
  • Added support for Cisco NetFlow (version 1) log format.
  • Added support for Neoteris Log Format.
  • Improved NetScreen log format that to track the device-id field and to strip out the <000> from the ICMP-type.
  • Improved Symantec Gateway Security log format to track client_destination, improve report layout, and fix notes field extraction.
  • Added support for Cisco NetFlow (no dates) log format.
  • Added support for Microsoft Exchange Server 2000 Log Format (comma separated).
  • Added support for literal line breaks in log filters (and other config node values).
  • Enhanced NTSyslog format to report severity and source separately.
  • Added support for Coradiant Log Format (object tracking).
  • Added support for EPOC times in milliseconds.
  • Added support for Argus log format.
  • Added support for Unicode in .cfg files.
  • Added support for Optima log format.
  • Added support for SLNT4 log format.
  • Added support for Check Point SNMP Log Format.
  • Added support for user-updated GeoIP database; removed auto-download of GeoIP database.
  • Added support for SafeSquid Log Format.
  • Added support for DLink DI-804HV Ethernet Broadband VPN Router Log Format.
  • Loosened license key restrictions to allow upper case and leading/trailing whitespace in license keys.
  • Improved TrendMicro/eManager Spam Filter Log Format to handle a variant.
  • Improved FortiGate Comma Separated Log Format to track more fields, to track all numerical fields, an to group reports.
  • Enhanced Cisco VPN Concentrator (Comma separated - MMDDYYYY) format -- added tracking of all numerical fields, improved log processing performance, and added support for a variant format.
  • Fixed a bug that was causing reports emailed by a Sawmill install running on a Windows platform to be incorrectly generated. Viewing of emailed reports would show broken links for inline images in reports.
  • Added links to URLs in tables, to open a new web browser window showing the page referred to in the table.
  • Added graphical Log Filter Editor, for building log filters using a user-friendly graphical interface.
  • Added a Cancel button to progress pages.
  • Added paging to report tables, e.g. show rows 1-20, then page forward to 21-40, etc.
  • Improved the Table Options report to add additional options, including "only bottom-level items", parenthesized items, omitted items row, averages row, totals row, and maximum number of rows.
  • Disabled sorting on Log Details report -- sorting cannot be done effectively on such a large table, and the halfway implementation that was being used, which sorted only the visible rows, was confusing, and worse than no sort.
  • Added row numbers and improved styling of "paths through a page" report.
  • Added support for maximum_continuous_text_length and maximum_continuous_text_length_offset to "paths through a page" and "session paths" reports.
  • Improved global filter web interface to add automatic selection of global filter set when a filter is defined.
  • Added support for non-ASCII characters in profile labels.
  • Improved line breaking algorithm.
  • Added support for Syslog NG Log Format (no date in log data; yyyymmdd date in filename).
  • Enhanced Merak SMTP Log Format to handle a new format.
  • Added support for MailSweeper (24 Hour) Log Format.

Version 7.0.9a, shipped November 26, 2004

Bugs fixed in version 7.0.9a:

  • Fixed a bug which caused an error on initial access in CGI mode.

Version 7.0.9, shipped November 24, 2004

Bugs fixed in version 7.0.9:

  • Fixed bug where indices were not built properly in an MP build if build_xref_tables_and_indices_simultaneously was true.
  • Fixed several bugs which caused some task events to not be logged to the TaskLog, including END_TASK events for sending email, BEGIN_TASK events for almost everything else, and error events.
  • Fixed a bug in Apache/NCSA Combined Format With Cookie Last which caused all session reports to generate an error.
  • Fixed a bug with tcpdump format which would cause an error about a missing 'direction' field when processing log data.
  • Fixed a bug in DNS where the timeout interval specified in the profile was not used, resulting in 60-second timeouts for all DNS queries (instead of the correct default of 5 seconds). This could greatly slow log processing when DNS was on, if the DNS server was slow or many IP addresses did not resolve.
  • Fixed a bug where if 'all profiles' were used for scheduled task, the task would be done simultaneously for all profiles, rather than sequentially.
  • Fixed bug where two sequential double-quotes in CSV data would be treated as the end of a field, instead of as an escaped double-quote
  • Fixed a bug which would cause a crash if the numerical field needed by the session reports was not tracked, but session reports were present
  • Fixed a bug where if build_xref_tables_during_log_processing or build_indices_during_log_processing are true it would still rebuild the indices at the end of processing.
  • Fixed a bug where if the tuning options were set to build indices while processing data, the hierarchies would not be built, resulting in errors when displaying reports.
  • Fixed a bug which could cause an error while processing WebSTAR "common log format" files.
  • Fixed bug Sawmill wasn't rebuilding xref's when updating database
  • Fixed a bug where if an xref table contained only "unique" numerical fields (e.g. if a profile tracked only visitor information), data could be lost when expanding the xref table, resulting in missing items in reports.
  • Fixed a bug where certain special characters in regular expressions did not work properly in report filters.
  • Fixed bug where single-quotes in command line filters would cause a syntax error.
  • Fixed a bug where x-timestamp fields were not handled properly in W3C log data.
  • Fixed a bug in Netwall log format which would cause an error while processing data.
  • Fixed a bug where complex filters on very large datasets would cause reports to fail.
  • Fixed bug where when build_xref_tables_during_log_processing was true, date/time information and hierarchies were not built properly.
  • Fixed a bug which could cause a crash on Windows if an invalid license was entered.
  • Fixed a bug which could cause conversions of version 6.4 configurations to 7.0 profiles to fail.
  • Fixed bug where desktop files did not appear correctly in the file browser on Windows.
  • Fixed bug where data could be loaded into the wrong database fields on a database update, in log formats which include format data in the log data (e.g. W3C), if the profile's log field order did not match that of the log data. This should be handled by saving and restoring the last format line when starting the update, but that was not working properly, so the parser was reverting to the profile's field list; if that list did not match the actual data, it would parse it incorrectly.
  • Fixed a bug where the use of the -df option omitted the display of "Start/End date" and "Days covered" in the Overview and Sessions Overview report.
  • Removed dashes in line breaks when splitting large items in report tables; changed to
    tags.
  • Modified error reporting to work around issues with some popup blockers.
  • Fixed a bug where usernames were not converted properly to valid "internal" names, resulting in errors for certain operations.
  • Added a regular expression check regular expressions entered as global filter expressions, fixing a bug where an invalid regular expression would disable the reporting interface.
  • Fixed a display problem with the date range picker which appeared in Netscape, Mozilla and Firefox web browsers.
  • Fixed a bug in the date range picker where the date range picker did not show the active set date range upon opening the date range picker.
  • Added MySQL database name validation in new profiles wizard and config, fixing an error which occurred when the database name was not a valid MySQL database name.

New features in 7.0.9:

  • Added support for multiple zoom. This is a significant interface enhancement which provides the ability to "zoom" any number of levels deep into any number of fields, simultaneously.
  • Added support for zoom on "session users" report.
  • Added support for IP Sentry log format.
  • Improved ipfw log format to understand accept vs deny and TCP vs UDP.
  • Added support for Apache SSL Request Log Format.
  • Added detection and reporting of Firefox browser.
  • Added support for CiscoWorks log format
  • Improved support for Serv-U FTPD log format, to report file and directory deletion events.
  • Added support for Gene6 FTP Log Format.
  • Enhanced Cisco VPN Concentrator (Alt) Log Format to track outbound bandwidth and session durations.
  • Added support for duration values h:m:s format in log data.
  • Added support for Squid WELF log format.
  • Added support for Clavister Firewall Syslog Log Format.
  • Improved support for Clavister Firewall Log Format, to track many more log fields.
  • Fixed IP Traffic LAN Statistics Log Format, which was not extracting date information correctly.
  • Added support for Kerio Network Monitor HTTP Log Format.
  • Improved iptables format to process log data 4x-5x faster, and to report the rule and result fields.
  • Improved Symantec Gateway Security log format to track session information.
  • Improved SHOUTCast W3C log format to track more numerical fields.
  • Improved Interscan E-mail Viruswall Log Format to report "EMAIL" lines showing viruses detected.
  • Added tracking of file type to Symantec Gateway Security log format.
  • Added support for Cognos Ticket Server Log Format.
  • Improved NTSyslog support to track all event types and full messages.
  • Fixed and improved NetApp 5.5 log format to track bandwidth and time-taken, and to categorize report.
  • Enhanced Windows Event (Comma Delimited) Log Format to handle a different date format, and to handle multi-line CSV fields.
  • Enhanced tcpdump with interface format to support a slight variant.
  • Improved NTSyslog format to track all event codes.
  • Added support for Novell NetMail 3.5 Log Format.
  • Improved Exim 4 log format to handle local outbound delivery lines.
  • Added support for Nortel Contivity log format.
  • Added support for Watchguard Firebox v60 Log Format.
  • Added page names lookup and support for row numbers in the "paths through a page" report.
  • Added support for max row numbers on expand in "session paths" report.
  • Improved date display and global filter handling.

Version 7.0.8, shipped October 22, 2004

Bugs fixed in version 7.0.8:

  • Fixed a bug where the -f option did not work for emailed reports.
  • Fixed a bug where quotes in extra_options in scheduled tasks did not work properly on Windows.
  • Fixed bug where scheduled tasks would fail if there was no 'options' node. This caused all scheduled updates or rebuilds created from the Scheduler web interface to fail.
  • Fixed a bug where the entire_line keyword (in log filters) would generate an error.
  • Fixed a bug in eSafe session log format which would reject entries with empty field values.
  • Fixed a bug which could cause a JavaScript error when displaying the Profiles list for non-administrative users.
  • Fixed a bug in Scheduler, occurs with Safari web browser when adding a new Action, profile had to be selected twice that reports appear in reports list.
  • Fixed a bug in command lines where the -f option was ignored.
  • Fixed a bug in log filters view where left/right arrows (<>) in a log filter expression stripped any following log filters in the log filters view.
  • Modified filter display in reports so that command line filters are also displayed.
  • Fixed a bug where viewing reports from a completely empty database would generate an odd error about read-only non-existent hierarchy files
  • Fixed a bug where "action" emails did not work.
  • Fixed a bug in tracking of protocol field in NetScreen log format.
  • Fixed a bug where report email subjects containing variables or code sections were not properly expanded.
  • Added support for Bindview Windows Event log format.
  • Fixed a bug with LSMS Admin log format which caused an error while processing log data.
  • Fixed a bug where tracking an 'average' numerical field could result in an error when processing log data.
  • Fixed a bug where source/destination IP/port were not extracted properly from Raptor log data.
  • Fixed a bug where CSV export did not work in a multi-table report like Single-page summary.
  • Fixed a bug with Cold Fusion Application (CSV) format, which caused all entries to be rejected.
  • Fixed a bug where the TCP/IP socket timeout was set too low, resulting in early timeouts and FTP failures on slow networks.
  • Fixed problems with autodetection of certain files in Aladdin ESafe Sessions (with category) log format.

New features in 7.0.8:

  • Improved Serv-U FTP format -- added grouping of reports.
  • Added support for Syslog NG Log Format (no timezone).
  • Added support for Exim 4 log format.
  • Added support for Clavister Firewall Log Format log format.
  • Added support for Symantec Gateway Security 2 (CSV) Log Format.
  • Added a Preferences editor to the Admin page, for editing preferences (which previously had to be edited in the preferences.cfg file).
  • Added a charset option to the preferences, for selecting a different HTML charset for the web interface.
  • Improved language selection in the Preferences to provide a menu of installed languages.
  • Added a date_filter (-df) command line option for easy command-line date filtering (and for adding filters which appear in the Date Filter section of the report). This option supports simpler syntax than the -f option, e.g. -df Jan/2004-Mar/2005.
  • Added support for visible and visible_if_files in the reports_menu node. If the nodes visible and visible_if_files don't exist then they are automatically created prior the left menu becomes generated. Reports and report files can be switched on and off by setting visible and visible_if_files to true or false.
  • In log filters form, added a list of all log field names below the log filter expression input field.

Version 7.0.7, shipped October 07, 2004

Bugs fixed in version 7.0.7:

  • Fixed a bug where turning on action emails would cause an error.
  • Fixed a bug in ServU FTP which caused an error when processing log data.
  • Fixed a bug where the pathname of a failed file deletion was not reported.
  • Fixed a bug which caused an error when a generating report was cancelled by clicking on another one.
  • Fixed a bug which could cause an error when a non-administrative user viewed reports.
  • Fixed a bug where log filters tagged with requires_field would always be omitted (affects primarily W3C log formats).
  • Fixed bug which could display the wrong report when zooming into an item containing spaces or other unusual characters.
  • Fixed bug where yyyy/mm/dd hh:mm:ss time format did not work properly.
  • Fixed bug where h:mm:ss GMT time format did not work properly.
  • Fixed a bug in Firewall-1 header detection which could cause an error on profile creation.
  • Fixed a bug where Session reports would be created even for formats which did not support them.
  • Improved Cisco VPN Concentrator format to report duration, inbound bandwidth, and outbound bandwidth.
  • Fixed a bug where session filters were not editable in the Global Filters.
  • Fixed bug where non-English field labels could cause errors in configuration-to-profile converter
  • Fixed a bug where the log source list would not reload properly after deleting a log source.
  • Fixed a bug where the Config menu would break if you clicked a group too soon while it was loading.
  • Fixed bug in conversion of v6 profiles with log field of type generic non-hierarchical, which caused converted profiles to fail with an error when used.
  • Fixed sort() to handle {} codes; this fixes some cases where fields were sorted incorrectly in the web interface.
  • Fixed a bug where the progress page did not use the correct charset, resulting in strange letters and characters on non-English installations.
  • Fixed a bug where if a log source filename did not contain a pattern, and "process subdirectories" was checked, the wrong file would be processed (the first file in the directory, rather than the matching file).
  • Fixed bug where zoom did not work properly on items containing backslashes.
  • Fixed overview in mysql to give correct visitors count
  • Optimized build performance with indexes on xref files.
  • Fixed a bug where screen information was not extracted correctly in some cases.
  • Fixed a bug where running "sawmill -a bd" (without a -p options) would cause a crash; it now correctly generates an error saying that -p is required.
  • Fixed bug where the Scheduler information did not reload automatically when it was changed, so Scheduler changes would not take effect until the next restart.
  • Fixed bug where zoom did not work on an individual sessions (showed 0 events).
  • Fixed bug where visitors was not tracked properly for Microsoft Media Server log format (always showed 1 visitor).
  • Fixed a bug which could cause an error during log processing for certain log formats (including Blue Coat Squid) if the URL contained a $.
  • Fixed a bug where the radio buttons in the report Filters did not work properly with some browsers, with a button remaining selected even when another one had been clicked.
  • Fixed bug where database indices, uniques, and hierarchy tables were not compacted at the end of a database build, resulting in higher than necessary disk usage (using about 50% higher than necessary).
  • Fixed a bug where zoom could fail if certain odd characters were present in the value.
  • Fixed bug where HexEsc values appeared literally in pie chart legend values, rather than being converted properly.
  • Fixed a bug which could cause a crash if the report filter set was empty (e.g. a date range which did not contain any days in the database).
  • Fixed a bug where zooming to Single-page summary with a filter applied would generate an error on Windows.
  • Fixed a bug which could cause very high memory usage when viewing the Overview with a filter applied on a very complex field, in a very large dataset.
  • Fixed a bug which could cause a crash when displaying the Profile Summary page for a profile with an empty database.
  • Fixed a bug where FTP log sources could lose one file handle per file downloaded, eventually failing with an error.

New features in 7.0.7:

  • Enhanced support for Free Radius format -- added tracking of all numerical fields, and grouped reports.
  • Enhanced support for Sonic Wall and 3COM log format -- added tracking of "received" bandwidth field, and fixed a bug with missing args field.
  • Enhanced support for Symantec Gateway Security log format -- added tracking of numerical fields and grouped reports.
  • Enhanced ServU FTP tracking; added inbound and outbound bandwidth tracking.
  • Changed frame references to relative, so Sawmill can function in a subframe of a larger frameset.
  • Improved Firewall-1 reporting; added support for more fields; grouped reports.
  • Added support for mailscanner log format.
  • Improved the Overview to report averages-per-day and date range information.
  • Improved performance of parsing of the internal language; this greatly improves speed and interactivity while viewing statistics (and doing anything else in the web interface). Testing shows that loading of the Overview improved from 6 seconds to 0.5 seconds due to this change; other report performance is also improved, especially small reports.
  • Added support for Cisco ACNS with SmartFilter Log Format.
  • Added support for PsLogList Log Format.
  • Added support for SNMP Manager log format.
  • Added support for Trend Micro Interscan Web Security Suite log format.
  • Add tracking of policy_id field for NetScreen.
  • Added support for Argsoft Mail Server Log Format.
  • Added support for Essbase log format.
  • Added support for a variant of PIX Firewall Syslog Server log format (with no year).
  • Added support for Cisco ACNS SmartFilter log format.
  • Improved memory usage for complex queries involving direct scans of the main table and indices.
  • Added support for Watchguard Firebox V60 Log Format.
  • Improved Plesk web server support; grouped reports and added tracking of a few additional fields.
  • Changed the password display for FTP log sources in the Config section so it displays bullets instead of the password itself.
  • Added support for a default_report_on_zoom option in each report, which specifies the default value for the "zoom" menu (i.e. the report that clicks automatically zoom to).
  • Greatly extends the Scheduler web interface, providing graphical access to the most common option for each type of task.

Version 7.0.6, shipped September 07, 2004

Bugs fixed in version 7.0.6:

  • Fixed a bug which could cause an error on the 'paths through a page' report.
  • Fixed a problem with Fortinet log format which could cause an internal error.
  • Fixed a bug where Apache Custom formats sometimes did not parse correctly on Windows.
  • Fixed a bug in the reporting of microsecond fields, where the fractional part could be displayed as a negative number.
  • Fixed a bug where certain slightly corrupt v6 configurations were not converted properly by the configuration-to-profile converter.
  • Fixed a bug where FTP log sources were not converted properly by the configuration-to-profile converter.
  • Fixed a bug where local log sources with backslashes in them were not converted properly by the configuration-to-profile converter.
  • Fixed a bug which could cause crashes or other odd error when displaying tables with subtables, and with durations.
  • Fixed bug which caused an error when selecting a page which existed but had no events, in paths through a page.
  • Fixed a bug where CSV export failed from single-page summary and other multi-element reports.
  • Fixed a bug where multiprocessor builds would fail if build_indices_in_threads was turned off.
  • Fixed MySQL support of WELF logformat.
  • Fixed a bug where right-to-left hierarchy fields (e.g. emails) were grouped left-to-right.
  • Fixed a bug where single quotes in extra options in Scheduled tasks were not handled properly.
  • Fixed a bug where date_time would not appear in log detail if it was derived from separate date and time log fields.
  • Fixed a bug where IPs were grouped right-to-left in some cases, instead of left to right.
  • Fixed a bug which could cause an error when using generate_all_report_files.
  • Fixed a bug where maximum_session_duration was not applied to sessions ending in timeout.
  • Fixed a bug which could cause a progress sequence error when zooming to a session report with a filter set that had no session events in it.
  • Fixed a bug where zooming to the Single-page summary on Windows could generate an error.
  • Fixed a bug where temporary log files were cleaned up while still in use, resulting in errors when processing compressed log files by HTTP on Windows.
  • Fixed a bug which could result in an error (and a crash) when displaying a report with session filters on Windows.
  • Fixed a bug where $'s were treated literally in log filter comments and labels.
  • Fixed a bug which would cause a progress sequence error when using multiple HTTP log sources.
  • Fixed a bug where the arrows next to report groups sometimes disappeared or did not appear.

New features in 7.0.6:

  • Improved Apache Custom log format to track time taken and bandwidth, when present; also categorized some additional reports.
  • Improved Helix (Format 5) log format tracking, added support for 20+ new numerical fields, added extraction of Stat1, Stat2, Stat4, and CPU sections, added language-independent reporting of some fields, and categorized reports.
  • Made licenses.cfg optional -- if it's not there, it's the same as it being there with no licenses installed. This makes it easier to delete all licenses manually.
  • Switched to Window-style line endings (CRLF instead of LP) when running on Windows, to make it easier to edit configuration files with Notepad and other editors which don't understand LF line endings.
  • Added support for Digital Insight Magnet log format.
  • Added support for Aladdin eSafe format with URL category.
  • Added support for Bindview User Reporting log format.
  • Improved Snort Standalone format autodetection to handle a wider range of variants.
  • Improved ISA analysis; added bandwidth tracking (inbound and outbound), and grouped reports.
  • Fixed a bug in ISA format which caused an error when cs-uri-query was absent.
  • Improved ISA analysis; added bandwidth tracking (inbound and outbound), and grouped reports.
  • Added treat_apostrophes_as_quotes option, which is useful for logs where apostrophes (single quotes) appear literally in field values, and are not intended as quotation marks.
  • Improved CSV export to be sorted as it is in the original table.
  • Improved the performance of the .= operation in the configuration language; this *greatly* improves the performance of CSV export for large tables (table with tens of thousands or rows) reducing export times from several hours to several seconds.
  • Added -a llf and -a ldf command-line options to list log fields and database fields (internal names) from the command lie.
  • Improved performance of cross-reference table generation in MySQL databases with visitor tracking.
  • Improved Users page to allow full editing of all user attributes.
  • Improved progress page to wait up to 10 seconds for a report before starting the progress sequence; this improves response times for fast reports.

Version 7.0.5, shipped August 29, 2004

Bugs fixed in version 7.0.5:

  • Fixed report_email_subject, which had no effect.
  • Fixed a bug where CSV export from the reports would fail on case-sensitive operating systems.
  • Fixed iChain format for logs without src field.
  • Added support for Bindview Reporting log format.
  • Fixed a problem where the MacOS 10.2 build did not work properly on 10.2 (worked only on 10.3!).
  • Fixed a bug where zooming in on 'default page' items would give all 0's

New features in 7.0.5:

  • Eliminated some unnecessary configuration file reads, improving overall performance for general interface navigation.
  • Added support for ISS log format.
  • Added support for Cisco AS5300 log format.
  • Improved Microsoft Media format -- categorized more reports.
  • Added unique client IP tracking for Exchange 2000 log format.
  • Enhanced GTA GBWare format to track URLs.
  • Fixed/improved Netscape format.

Version 7.0.4, shipped August 24, 2004

Bugs fixed in version 7.0.4:

  • Fixed a bug where report headers and footers did not appear in the reports.
  • Fixed a bug where the licensing manager permitted one less profile than the number actually licensed.
  • Fixed bug where single-page summary had the same label for each table.
  • Fixed a bug where the encrypted source distribution would not build if MySQL was not installed.
  • Fixed GFI Spam log format.
  • Fixed GFI Attachment and Content log format.

New features in 7.0.4:

  • Streamlined Helix log format (greatly improved log processing performance, added support for all numerical fields).
  • Improved Netscape format to handle missing referrer field, and to group reports.
  • Fixed a bug where "-a rcrt" did not work for SQL databases.

Version 7.0.3, shipped August 23, 2004

Bugs fixed in version 7.0.3:

  • Fixed a bug where some different IP addresses were counted as the same.
  • Fixed a bug where date ranges starting or ending on the 9th day of a month did not work properly.
  • Fixed a bug where the Scheduler did not run tasks properly when "extra options" was "none".
  • Fixed a bug where dollar signs in log filters disappeared when you saved the filter.
  • Fixed a bug where non-administrators could see the Licensing page and other administrative pages.
  • Improved zoom so zooming in on a single item which has no subitems would display a table with just that item, instead of displaying an empty table of its subitems.
  • Fixed a bug where all entries were rejected when using IronMail SMTP Proxy log format.
  • Fixed a bug where MSN search engine hits were not tracked properly.
  • Fixed a bug where if a local log source included a simple filename as the "pattern" and was set to recurse directories, occurrences of that filename in subdirectories would not be matched.
  • Fixed a bug where conversion of a v6 configuration to a v7 profile would fail with an error about "export_pathname" not being defined.
  • Fixed a bug which caused an error when creating a profile from Microsoft Exchange Server 2000 Log Format data.
  • Fixed a bug in which the Create/Update Many Profiles feature was missing from the templates.

New features in 7.0.3:

  • Added CSV export to the reports, allowing any table to be exported in comma-separated format.
  • Added support for GTA GBWare Firewall log format.
  • Greatly enhanced Snare support, adding tracking of many additional fields, and categorization of reports.
  • Improved the Scheduler to look better and group tasks by type; added link to Scheduler from Admin menu.
  • Added a basic user editor, for creating users (and their password checksums). Advanced user editing must still be done in users.cfg, but this eliminates the need for a third-party MD5 checksum generator.
  • Added support for multiple report elements (e.g. tables) in a single report. Added a "Single-page summary" report which shows all major report tables in a single report.
  • Added a new "-a lp" command line option to list the internal names of the profiles.
  • Added a new "-a lr" command line option to list the internal names of the reports in a particular profile.

Version 7.0.2, shipped August 14, 2004

Bugs fixed in version 7.0.2:

  • Fixed a bug which could cause crashes during log processing.
  • Fixed a bug where database fields which used aggregation operators "average" and "maximum" and "minimum" were still being reported as sums.
  • Fixed a bug where entire_line did not work in log filters. This caused build error for IIS SMTP log format.
  • Fixed a bug which could cause a crash if a Global Filter referred to a non-existent value.
  • Fixed bug which could cause crash when zooming in on table build from main database table.
  • Fixed a bug which could cause an error when using a command-line log source.
  • Fixed a bug which could cause a progress sequence error when viewing the Overview with session filters active.
  • Fixed a bug which could cause crashes in odd situations when using visitors.
  • Fixed bug where the session duration was slightly off in the Individual Sessions report.
  • Fixed a bug where graphs showed the last numerical field, rather than the first, by default.
  • Fixed a bug where session information could be wrong if data was added to the database out of order.
  • Fixed bug which could cause an error on the first CGI mode access.
  • Moved and combined the internal lang_*.directory_word and lang_*.directories_word variables into lang_stats.directory and lang_stats.directories; this fixed a few errors in the documentation.
  • Fixed a bug where zooming on URLs did not work with Microsoft Media Server format and a MySQL database.
  • Fixed a bug which could cause an error on database update, on Windows.
  • Fixed a bug where "average" columns did not display correctly in tables.
  • Added a page when using Trial licensing, asking if the trial should be Enterprise or Professional.
  • Fixed bug where visitor numbers were not updated properly on database update.
  • Fixed a bug where the -f option was ignore for remove_database_data and some other actions.
  • Fixed a cosmetic issue where the command-line progress display would sometimes overlap the next command prompt.
  • Fixed a bug where the "total" column in tables contained a sum of the column even for "unique" fields like visitors. Sums of uniques are meaningless, so the "total" cell for unique fields has been changed to a dash.
  • Fixed a bug in IIS FTP log format which rejected all "sent" log entries.
  • Fixed a bug with Declude Spam format which caused an error when creating a profile.
  • Improved/fixed WebSTAR format (added support for tracking of transfer time field, fixed visitor tracking, and grouped reports).
  • Fixed a bug where error sometimes were reported on the console but not in the web interface.
  • Fixed a bug where browsing to directories containing files or folders with $ in their names would generate an error.
  • Fixed a bug which could cause error in W3C log data with a localtime field.
  • Fixed a bug which caused an error with certain sorts on tables with subtables.
  • Fixed a problem where the Sawmill window sometimes came up as a back window when clicking Use Sawmill.

New features in 7.0.2:

  • Added start time and end time columns to Individual Sessions; sorting by start time provides chronological sort.
  • Added support for UTF-8 encoded log data.
  • Added a link to the Licensing page from the Admin column.
  • Added the product name, version, and licensing to the header bar.
  • Fixed/enhanced IIS FTP log format support.
  • Added a binary distribution for RedHat 7.
  • Improved/fixed Helix Universal format.

Version 7.0.1, shipped August 07, 2004

Bugs fixed in version 7.0.1:

  • Fixed the MacOS X application icon, which was still a v6 icon.
  • Fixed the image in the MacOS window which was still a v6 icon, and the version number of the MacOS X application, which was v6.
  • Fixed a bug in the language parser, which would cause syntax errors when a variable name started with "not". This affected SGS format in particular.
  • Fixed a problem with log formats which used "listed" field names to collect values, and the listed names were uppercase or contained spaces. This affected SGS format in particular.
  • Fixed a bug where log formats were not sorted alphabetically in the format list.
  • Fixed a bug where files and directories were sometimes not sorted alphabetically in the Browse window.
  • Fixed a bug in SGS format where the entire first line was treated as a field name.
  • Changed login cookies to coexist with v6 installation.
  • Fixed a bug which caused all log entries to be rejected in log formats with mmdd date format (including Snort Standalone).
  • Fixed a bug where numbers were not carried over properly in some cases during cross-reference table expansion, potentially resulting in underreported numbers in xref-based reports.
  • Fixed a bug which could cause a crash on database update.
  • Fixed a bug in the "next" statement of the internal language, where it did not properly skip the remaining content of the loop. This caused the profile list to incorrectly show all profiles even when a user was not authenticated to view them all.
  • Fixed support for Blue Coat Custom log format.
  • Fixed Blue Coat IM support.
  • Fixed bug where v6 trials counted against the number of times you could try the v7 trial.
  • Fixed bandwidth (inbound and outbound) and time-taken tracking to IIS W3C format.

New features in 7.0.1:

  • Allowed viewing of documentation without logging in.
  • Switched to transparent PNG format for logo so the background color of the web interface can be changed.
  • Fixed a bug which could cause a crash when rebuilding a MySQL database.
  • Made charset customizable in language modules, so it could be customized in non-Enterprise installations.
  • Updated the reports page of the documentation, which was missed during the update to v7.
  • Added a DNS Lookup section to the Config, for easy graphical access to the DNS options.

Version 7.0.0, shipped August 01, 2004

Bugs fixed in version 7.0.0:

  • Fixed a bug which could generate an error when processing IIS logs (and some other types of logs).
  • Fixed a bug which limited table values to 12 characters.
  • Fixed a bug where the number of sessions (or the number of "more sessions") was wrong in the paths report.
  • Fixed a bug where sections of the tree did not expand properly in the paths report when using MySQL.
  • Fixed a bug where the sort direction was not set properly for some session reports.
  • Fixed bug where look_up_ip_numbers had no effect.

New features in 7.0.0:

  • Enhanced file mapping to use read-only maps when appropriate. This eliminates some types of database contention errors, by allowing multiple processes to read the database at the same time without permission issues (this was particularly a problem on Windows).
  • Added template checksum verification; i.e. added enforcement of restrictions on template editing for non-Enterprise licenses.

Version 7.0b18, shipped July 29, 2004

Bugs fixed in version 7.0b18:

  • Fixed a bug where the sort radio buttons in the Table Options did not deselect properly when using Safari.
  • Fixed a bug in sorting where a prefix and the string it prefixed were not ordered consistently in the sort.
  • Fixed bug which could cause a "permission denied" error when building a database with multiple processors on Windows.
  • Fixed bug which could cause crashes when using FTP or HTTP log sources.
  • Fixed a bug where non-session-events were appearing in the sessions reports.
  • Fixed bug where report cache was not cleared on database build.
  • Fixed a bug which could cause an 'Attempt to use GetFieldLimit' error when using certain filters.
  • Fixed bug where date range max was incorrect if data was added out of order to the database.

New features in 7.0b18:

  • Added support for Apache Custom and Blue Coat Custom log formats (with log format strings).
  • Added support for UTF-8 encoding in configuration files.
  • Added options to build indices and/or xref tables in the main thread during multiprocessor builds, which can be faster if disk I/O is slow.
  • Switched to a more compact duration format for "time spent" columns. in the sort.
  • Improved zoom on multi-field tables so all fields are filtered, instead of just the first column.
  • Added support for per-report and per-report-element filters.
  • Optimized performance for log building, especially for multiprocessor builds.
  • Added support for multiprocessor database builds with MySQL.

Version 7.0b17, shipped July 24, 2004

Bugs fixed in version 7.0b17:

  • Added a graphical scale to table bars.
  • Fixed several bugs in table options.
  • Fixed a bug where CGI mode generated an immediate error when first using it.
  • Fixed a bug where clicking to zoom in on a table would only work one level deep.
  • Fixed a bug with progress reporting which could cause progress reports to never appear for certain operations.
  • Fixed a bug which could cause some log entries to be ignored when DNS lookup was turned on.
  • Fixed a bug where during a database merge operation (update database or multithreaded build), would keep all indices mapped to memory, using much more memory than was really required for the merge.
  • Fixed a bug causing error "Couldn't find node filters in volatile".
  • Fixed a bug where the case sensitivity setting in log fields did not work -- all comparisons were case sensitive.
  • Fixed bug where passive mode FTP was not working properly.
  • Fixed export_csv_table, which was giving an error when used from the command line.

New features in 7.0b17:

  • Added an 'other items' slice to pie charts

Version 7.0b16, shipped July 21, 2004

Bugs fixed in version 7.0b16:

  • Fixed a bug which would cause an error while processing SonicWall logs.
  • Fixed bug where date/time tables were empty in some cases, in profiles without session tracking.
  • Fixed bug where errors which occurred during operations with progress displays were not reported.
  • Fixed a bug where session paths showed the same number of users for each path.

New features in 7.0b16:

  • Updated the FAQ to reflect changes from version 6 to version 7.

Version 7.0b15, shipped July 18, 2004

Bugs fixed in version 7.0b15:

  • Fixed a bug where removing data from the database based on a date/time comparison filter would not actually remove anything.
  • Fixed a bug where some files (usually secondary files like CSS or JS files) sometimes would not load in some web browsers, which prevented some pages from rendering.
  • Fixed a bug which could result in a progress sequence error when updating a database.
  • Fixed bug where xref-based filtered did not work on tables unless they filtered field was also a column of the table.
  • Fixed a bug where bottom-level item lists were computed incorrectly in some cases; this could result in items disappearing from graphs or tables.

New features in 7.0b15:

  • Added the "global filter editor" for creating filters which affect all reports, and which remain active as you switch from report to report.

Version 7.0b14, shipped July 17, 2004

Bugs fixed in version 7.0b14:

  • Fixed a bug where the progress indicator could stop updating during certain long operations.
  • Fixed bug which could an error while removing lock file when building on Windows with multiple processors.
  • Fixed bug which could cause Permission Denied error on Windows when doing a multiprocessor build.

New features in 7.0b14:

  • Improved performance (about 40x) of rendering large tables with subtables.

Version 7.0b13, shipped July 14, 2004

Bugs fixed in version 7.0b13:

  • Fixed a bug where an error would occur if MySQL libraries were not installed, even if MySQL was not used.
  • Fixed a bug which could cause an error if a table value contained a $.
  • Fixed a bug which would generate an error while attempting to draw pie charts based on integer fields.
  • Fixed a bug where the cancel file was not removed when a report was cancelled. This could cause the report to be automatically cancelled when it was visited again later. This would appear as a progress display which stopped updating.
  • Fixed an error in the Users page of the technical manual. for the first time.
  • Fixed a bug where if visitor tracking was on in IIS logs, IPs would be grouped incorrectly hierarchically.
  • Fixed a bug where a database update would not be reflected in the database information, if no data was added.

New features in 7.0b13:

  • Changed the default size of pie charts to 200x200.
  • Added ability to switch trial license features from Enterprise to Professional in the licensing page.
  • Fixed a bug which would cause a "can't drop table" error when using a MySQL database for the first time.
  • Added quotes to language module values in a few places.

Version 7.0b12, shipped July 11, 2004

Bugs fixed in version 7.0b12:

  • Fixed a bug in the graphical progress indicator where the remaining time could be displayed incorrectly while skipping previously-seen log data during an update.
  • Fixed a bug where when using a MySQL database, non-unique numerical values were displayed incorrectly in tables, when tables were generated from cross-reference tables.
  • Fixed several issues with the analysis of old-style WebSTAR logs.

New features in 7.0b12:

  • Updated all Technical Manual chapters to be in line with version 7. (FAQ is still not completely updated, and often refers to v6 features and procedures).

Version 7.0b11, shipped June 27, 2004

Bugs fixed in version 7.0b11:

  • Fixed a bug which could cause an error when clicking the Date Range control.

New features in 7.0b11:

  • Added tables with subtables, a new way to break down a two-column table. Instead of just listing all pairs of values spreadsheet style, this generates a subtable for each item in the first column, grouping all of the second-column values for that item together. It sorts the table by subtable, and sorts the subtable by second column values. This is a more intuitive and useful breakdown than spreadsheet-style, in many cases.
  • Added a "Search phrases by search engine" report which uses the new subtables feature to show a list of search engines, and the search phrases for each search engine, in a single report.
  • Improved debugging output to use an environment variable, so it does not appear by default.
  • Added the Single-Page Summary, similar to how it was in v6. This is actually broken at the moment, apparently due to a bug in our support for reports with multiple report elements, but most of the work is done for it, so it should work as soon as we get that bug fixed.
  • Added support for tracking of unique fields (like visitors) in cross-reference groups, with MySQL.
  • Added conversion of v6 configs to v7 profiles (put configs in LogAnalysisInfo/Configs and run command line "sawmill -a cc"). This is an extremely complicated and detailed process, and the chance that it's working perfectly on the first try is zero. Please report problems you see in converted configurations!

Version 7.0b10, shipped June 23, 2004

Bugs fixed in version 7.0b10:

  • Fixed bug with Seconds-since-1970 header format which prevented a data from being analyzed (affected most Squid logs).
  • Fixed bug with Cisco VNC Concentrator and a few other log formats.
  • Fixed bug with Squid format which prevented a profile from being created.
  • Fixed a few problems with trailing slashes on drive names in Windows (when browsing), and with UNC drive names.
  • Fixed a bug with selecting years in the Calendar.
  • Fixed performance issue with multi-field tables. Tables containing two complex fields now display hundreds or thousands of times faster.
  • Fixed a bug in the source distribution where the build would attempt to use MySQL even if it was not installed on the system.
  • Fixed bug with Exchange format and other formats using carryover collection parsing, which could cause a crash.
  • Fixed a bug where Log Detail showed one more row than actually existed, causing odd errors (usually about date_time not existing) and crashes.
  • Fixed Postfix log format, and other formats which use the "rekey" operation.
  • Fixed IIS FTP log format, and fixed field names in a few other formats.
  • Fixed some broken links in the docs, and the FAQ.
  • Fixed a bug where Browse did not give any results when clicked with nothing in the Pathname field, on MacOS or UNIX.

New features in 7.0b10:

  • Reworked File Manager to provide easier navigation; fixed issues with File Manager on MacOS.
  • Implemented Logout link, to clear the login cookies and take you to the login page (or the logout URL, if specified).
  • Changed database modification time to local time, rather than GM time.
  • Added improved worm detection, including detection of Sasser and Sharepoint worms.

Version 7.0b9, shipped June 19, 2004

Bugs fixed in version 7.0b9:

  • Fixed a bug in the source distribution where the build would attempt to use MySQL even if it was not installed on the system.
  • Fixed bug with Exchange format and other formats using carryover collection parsing, which could cause a crash.
  • Fixed a bug where Log Detail showed one more row than actually existed, causing odd errors (usually about date_time not existing) and crashes.
  • Fixed Postfix log format, and other formats which use the "rekey" operation.
  • Fixed IIS FTP log format, and fixed field names in a few other formats.
  • Fixed some broken links in the docs, and the FAQ.
  • Fixed a bug where Browse did not give any results when clicked with nothing in the Pathname field, on MacOS or UNIX.

New features in 7.0b9:

  • Implemented Logout link, to clear the login cookies and take you to the login page (or the logout URL, if specified).
  • Changed databse modification time to local time, rather than GM time.
  • Added improved worm detection, including detection of Sasser and Sharepoint worms.

Version 7.0b8, shipped June 16, 2004

Bugs fixed in version 7.0b8:

  • Fixed bug with yyyy-mm-dd date format where all dates were considered corrupt.
  • Fixed a bug where if the log source was empty, it would generate an error about not being able to find allow_empty_log_source.
  • Fixed a bug which caused an error when analyzing IIS logs without a referrer field.
  • Fixed a bug where bars would sometimes not be the right length in tables.
  • Fixed a bug with quotes in parsing filters of log format plug-ins.
  • Fixed a bug with field names in regexp_listed parsing filters, which could cause a crash. This affected FortGate log format, and others.
  • Fixed a bug with field names in regexp_listed parsing filters, where the field names were not converted properly. This affected FortGate log format, and others.

New features in 7.0b8:

  • Moved most/all of the GUI into language modules, making complete translations possible.
  • Fixed/improved support for Quicktime Streaming server format. Fixed several bugs preventing the format from being analyzed properly; added support for all numerical fields; and categorized reports.
  • Added support for MySQL database names different from the profile name.
  • Added support for pie charts.
  • Improved search engine strings so handle international search engines (used strings from v6.5).
  • Added trigonometric functions (sin, cos, etc.) to the internal language.
  • Fixed problem with PIX/IOS and other formats using single-quote in parsing filters.
  • Improved SonicWall log format; added categorization of reports.
  • Improved Fortigate log format; added categorization of reports.

Version 7.0b7, shipped June 12, 2004

Bugs fixed in version 7.0b7:

  • Fixed bug where parsing filters with regular expressions containing single quotes could cause errors.
  • Fixed/enhanced Cisco PIX/IOS support.
  • Fixed/enhanced Netscreen support.
  • Fixed bug where displaying session paths generated a progress sequence error.
  • Fixed CGI mode, again.
  • Fixed a bug where regular expressions were not handled properly in the v6-to-v7 log format converter, resulting in issues with certain formats (including Squid).
  • Fixed bug where the memory usage of the web server process would continue to grow, especially for large table requests.

New features in 7.0b7:

  • Add language module versions of all field names. This means that where in previous versions, field names would appear in English in many cases, even if the language modules had been translated, in this version, all field names will be translated when they appear in the reports.

Version 7.0b6, shipped June 09, 2004

Bugs fixed in version 7.0b6:

  • Fixed a bug where clicking the browser's "back" button would lock in the current zoom report, so future zooms would go to that report regardless of what was selected.
  • Fixed a bug where zooming on a day of week, or an hour of day, would show a numerical value in the "zoomed into" display.
  • Fixed a bug where the total possible rows shown for Log Detail did not match the actual available rows, if a filter was active.
  • Fixed progress sequence bug with database updates.
  • Fixed bug where use of multiple log sources could result in a progress sequence error.
  • Fixed a bug where sorting by unique fields (like visitors) would cause an error

New features in 7.0b6:

  • Improved multiple log source progress to step through each log source smoothly.
  • Improved FTP log source progress to show progress as each file is processed.

Version 7.0b5, shipped June 05, 2004

Bugs fixed in version 7.0b5:

  • Fixed a bug where if a profile was modified, it would appear twice in the profile list.
  • Fixed some bugs with progress order, which could result in errors when displaying session pages, multi-column tables, or Log Detail.
  • Fixed a bug where floating point fields always sorted ascending, even if descending was requested.

Version 7.0b4, shipped June 03, 2004

Bugs fixed in version 7.0b4:

  • Added non-administrative access; users can now log in and view statistics without getting administrative access.
  • Added/fixed report cancellation, so clicking a button to display a different report while a previous report is being computed will cancel the computation of the previous report, rather than running it in the background until it completes.
  • Fixed a bug where passive mode FTP did not work.
  • Fixed table column alignment for Mozilla.
  • Fixed CGI mode.
  • Fixed a bug where screen dimensions were not reported properly.
  • Fixed a bug where date range filters could crash, or not work properly.
  • Fixed a bug where full-table queries could crash.
  • Fixed a bug where the Window service was named wrong, and sometimes didn't start properly.
  • Fixed bug where $1 variables could sometimes access the wrong variable.
  • Fixed several bugs in error messages
  • Fixed a bug which could cause an error about report_list while viewing statistics.
  • Fixed support for Netscape format-- added field names and report categories to make the reports look right.
  • Fixed a bug where dd/mmm/yyyy hh:mm:ss log date format was not permitted; this caused problems with Netscape format and others.
  • Fixed a bug where some of the numbers in Sessions overview were wrong.
  • Fixed a bug where the names of the formats in the log format list were all the same, in some situations.
  • Fixed a bug which could cause crashes when displaying session reports.

New features in 7.0b4:

  • Added a "list cache" which improves performance when managing unique items lists (visitor tracking) and main table indices.
  • Added final_step node to log format plug-ins, to perform arbitrary final actions. Implemented default reports and report menus using final_step (making it possible to customize reports and report_menu on a per-plug-in basis).

Version 7.0b2, shipped February 01, 2004

Bugs fixed in version 7.0b2:

  • [by request] Added/fixed error reporting, so if an error occurs while attempting to display a page, an error page is displayed instead. If an error occurs while attempting to generate a report, the error message is displayed (but not cached).
  • [by request] Fixed a bug where paths did not expand properly in "paths through the site".
  • [by request] Fixed a bug where filters did not "stick" beyond one click.
  • [by request] Added locking on changes file so threads can't step on each others' changes.
  • [by request] Fixed a bug where Filters were not displayed properly.
  • [by request] Fixed a bug where search engines and search phrases would not be displayed.
  • [by request] Fixed a bug where Calendar links did not work properly.

New features in 7.0b2:

  • [by request] Improved "zoom" in statistics to allow zooming into hierarchical views like "Pages/directories", and to support switching the view zoomed into, for easy zooming into one item and viewing the zoomed statistics in any view.
  • [by request] Fixed a bug where "main table" lookups were needlessly slow and memory-intensive, and often gave zero results when they shouldn't.
  • [by request] Added users-- you can now create multiple users with their own passwords and their own permissions. At the moment, this is limited to choosing an administrator username and password when you first log in, and logging in from then on with that username/password, but this feature will evolve to support non-administrative users who can only view statistics, and have access to only specific configurations.
  • [by request] Split "session" information into a separate cookie-controlled file per user, so simultaneous users no longer cause problems.
  • [by request] Added the "paths through a page" view (not yet in SQL).
  • [by request] Added the "session users" view (not yet in SQL).
  • [by request] Added the "session pages" view (not yet in SQL).
  • [by request] Implemented row sorting and number-of-rows menu.
© 2014 Flowerfire | Copyright | Privacy Policy | License Agreement | Terms of Use | Contact | Feedback | About
Sawmill Software
Sawmill Software
Back to Sawmill Home