SAWMILL 8 VERSION HISTORY

ALL PLUG-INS

Sawmill has plug-ins to support the following log formats:

This is the version history for Sawmill 8. The Sawmill 7 version history is here and the Sawmill 6 version history is here.

Version 8.0.1rc3, shipped December 24, 2008

• Fixed a bug where once a trial license expired, Sawmill would not accept a new license.

• Fixed a bug where a Sawmill 7 license would be called "invalid" instead of being reported as a valid older license, no longer valid for Sawmill 8.

• Fixed the upgrade instructions in the README of some platforms, which were still describing the Sawmill 7 upgrade method.

• Fixed a bug where Sawmill 8 would not install its service, if Sawmill 7 was already installed, and would uninstall the Sawmil 7 service when Sawmill 8 was uninstalled.

• Fixed a bug in the Create Profile wizard, which would cause an error if the Pathname was not literally a valid existing pathname, even if it contained wildcards which should have matched valid pathnames. This almost always caused wildcard or regular expression log sources to fail on profile creation.

• Fixed a bug where wildcard and regular expression report filters did not work (generated an error when attempted) with Microsoft SQL Server profiles.

New features in 8.0.1rc3:

• Added a separate chapter to the documentation about real-time importing.

• Added a Support link to the Admin page.

• Added the Salang expression of the current filter to the HTML of the report, as an HTML comment (useful for creating command-line or scheduled filters, or for debugging).

• Chopped off the "rcN" part of the version number in the web interface, to make it look better.

• Switched the default port of the web server to 8988. This makes it much simpler to run Sawmill 7 and Sawmill 8 together on the same system.

• Enhanced support for ISA W3C format, to handle a significant variant (2007)

• Added support for Unicode with Microsoft SQL Server as back-end database, so non-ASCII log data can be imported and stored in MS SQL, and queried from outside Sawmill.

Version 8.0.0rc5, shipped December 12, 2008

New features in 8.0.0rc5:

• Changed the GUI concept from html frames to single pages.

• Added report fields for more flexibility and fine tuning of report elements and table data.

• Added a simplified date_filter syntax (i.e: 2m, last2m, etc.) for date/time filtering.

• Added a new caching system which caches various report components and database data independently.

• Added RBAC (Role Based Access Control)

• Added support for sequential actions per schedule in scheduler.

• Added a "Run Now" button in the Scheduler, to run any task immediately.

• Added log fields editor

• Added database fields editor

• Added session fields editor

• Added report fields editor

• Added new field wizard (which allows to create a log field, database field and report field at once)

• Added URL support to view reports by URL definition by defining: profile name, report name, date filter, filter expression, filter comment

• Added support to view any hierarchical depth of a hierarchical database field as non-hierarchical report. This allows i.e.: to view a months report or a region or city report. (These reports have been added by default)

• Added the calendar as optional report.

• Added support to dynamically create a pivot table within the reports GUI

• Added support for different sort field and sort direction of the drill down field.

• Added support to drill down data on a table with multiple string fields.

• Added a new date picker which combines single date, date range and relative date selection.

• Changed the zoom concept in that zoom automatically adds the zoomed item to filters.

• Added support to zoom to multiple items at once.

• Added support to save filter items as filter group

• Improved the filters editor.

• Added support to email a report within the reports GUI

• Added support to define the row numbers and aggregation rows when exporting a table within the reports GUI

• Added min and max aggregation rows to tables.

• Added a row_visibility_expression per report element. This expression allows to show/hide table rows by an expression, i.e. show only rows where page_views > 300 and page_views < 1500.

• Added support for a default date filter per profile.

• Added support for a date filter per report or per report element.

• Improved the Customize Report Element form/options.

• Added table column info support.

• Added table row selection support (to mark a row in yellow color).

• Added support for 3D pie charts

• Added support for antialiased PNG graphs

• Added support for use of MS SQL or Oracle databases as back-end databases (where processed log data is stored, and reports generated from).

• Added support for use of MS SQL, Oracle, or MySQL database as log sources

• Implemented multiple scalability improvements, to allow Sawmill to process log data with less memory usage. These largely lift the restrictions of log processing on 32-bit systems, so any amount of log data can be processed without exceeding the address space of a 32-bit system.

• Added real-time reporting. Reports can be generated while data is being imported, and will be up-to-the-moment, based on the latest imported data. Data can be streamed continually into the database, without any reporting downtime.

• Implemented major SQL performance improvements, especially in the building of cross-reference tables, and in the performance of database update.

• Enhanced the internal database to support SQL syntax, for universal SQL querying of any Sawmill database.

• Added support for reading log data from a SFTP server

• Added directory recursion on (S)FTP servers, so a log source can point to a directory, and all subdirectories will be processed.

• Added filtering of reports on numerical fields; e.g., show all events where bytes > 1000

• Implemented multiprocessor splitting of report queries: report calculations are split across multiple processors for better performance.

• Enhanced multiprocessor and multi-system log processing. Log process is now done more efficiently on a single system, and does not use the disk as much; and it is also possible to split log processing across multiple "parsing servers" on the same network.

• Added database import and export.

• Added support for user-created actions (-a options), with fully customizable parameters and behavior.

Version 8.0.0b8rc8, shipped December 06, 2008

• Fixed a bug which would cause an error when creating a BlueCoat W3C profile.

• Fixed a bug where "start time" and "end time" were integers in imported MySQL profiles, rather than bring formatted timestamps.

• Fixed a bug where W3C log data (and other log data with header lines) would not be imported properly (some lines would be dropped) when using multiprocessor log parsing.

• Fixed a bug where the "index" attribute of database fields (whether to index the database field) was not editable in the web interface.

• Fixed a bug where the database name was required in Config -> Database -> Server, when it should have been optional.

• Fixed a bug where the web interface did not have an option to *not* use distributed parsing.

• Changed xref tables to be hierarchical by default, which results in faster report generation, especially for large datasets, but somewhat slower xref builds on import.

• Improved performance of the "session pages" report, and other reports which use indexed joins internally.

• Fixed a bug where the "use overview for totals" option had no effect.

• Fixed a bug where the "use overview for totals" option was not editable from the web interface.

Version 8.0.0b7rc1, shipped November 30, 2008

• Fixed a bug where the Reset/Collapse All button did not display properly in the Session Paths report.

• Added the "User Overview For Totals" option to the Config interface.

• Added editing of the Index option to the Database Fields editor (to specify which database fields should be indexed).

• Fixed multiple bugs in reporting, which caused error when generating reports with a SQL database table prefix or suffix.

• Fixed a bug where Windows pathnames were shown with slashes doubled, in error messages.

• Fixed a bug where entering a directory pathname ending with a slash, then clicking Browse, would browse the parent of the directory, rather than the directory itself.

• Fixed a bug where the Report Menu would not be displayed, when viewing a report with no elements.

• Fixed a bug with Internet Explorer 7, where the Date Picker did not display properly.

• Fixed a bug which caused an error when viewing reports for profiles with a database fields called "from" (or other SQL keywords), e.g., Postfix.

• Improved performance of Squid log processing.

• Fixed a bug where the expiration date always appeared as Feb 4, 2008, in the Licensing page.

• Added links to documentation examples, from the Report Filters editor.

• Fixed a bug where Config -> Database -> Server required a database name to be entered, even though it should default to the profile name when empty.

• Fixed a bug where the Date picker showed a red "undefined" as the first day of the week.

• Fixed a bug where the ODBC form required a username to be entered, even of the DSN had one embedded.

• Removed "log processing threads" from the web interface; it is deprecated.

• Fixed a bug where some windows did not have title bars, in CGI mode.

• Fixed a bug where CGI mode would fail when running queries, if they were large enough to be split across multiple processors.

Version 8.0.0b6rc1, shipped November 29, 2008

• Fixed a bug where the Windows install included an unnecessary DLL in the installation directory.

• Fixed a bug where the Calendar report was not enabled on imported v7 profiles.

• Fixed a bug which could cause an "Unknown hash function" error when building some types of profiles, including Microsoft Media Server.

• Fixed a bug which could cause progress reporting errors, if there was error during a database build or report generation.

• Fixed a bug which could cause a crash during autodetection, if there was an error in autodection (instead of reporting the error).

• Fixed a bug which could cause random results in the Overview, if the filter set contained no rows, and the database type was Microsoft SQL Server.

• Fixed a bug where Microsoft SQL Server databases were not updated properly during a database update; in particular, the itemnum (normalization) tables were not updated.

• Fixed a bug which could cause an error when zooming on session fields, and zooming to session reports.

• Fixed a bug where MySQL databases were not imported successfully from Sawmill 7 profiles.

• Improved autodetection of Instagate log format, so it doesn't detect Apache Combined as Instagate.

Version 8.0.0b5rc2, shipped November 27, 2008

• Fixed a bug where relative date filters (e.g., "last 4 months") could cause an error.

• Fixed a bug which could cause an error when displaying pivot tables with no data in them.

• Fixed a bug which caused the Overview to contain random numbers, when there was no data in the filter set.

• Fixed a bug which could cause incorrect numbers in the Sessions Overview, when there were no session events in the database.

• Improved the performance of the Sessions Overview report.

• Fixed a bug which could cause a very high "elapsed time" value (e.g., 39 years) to appear in the progress display at the beginning of some tasks.

• Fixed a bug where MS SQL database updates did not automatically update the xref tables.

• Fixed a bug where generating a PDF report could cause an error about "width:-8".

• Fixed a bug where individual characters could be skipped during database updates.

New features in 8.0.0b5rc2:

• Brought the plug-ins and their associated language information up-to-date with the latest Sawmill 7.

Version 8.0.0b4rc2, shipped November 25, 2008

• Fixed problems with real-time profiles which prevented successive reports from showing the latest information.

• Fixed several cosmetic issues with the bug report text.

• Fixed a bug where FTP profiles could not process the log data, if there was no leading / in the pathname.

• Fixed an issue which could cause errors during database builds, on some 32-bit systems (especially, Solaris).

• Fixed a bug where the Use Sawmill icon was not properly removed on uninstall.

• Fixed and improved the progress display for database builds.

• Fixed a bug with v7-to-v8 profile conversion, which could cause an error when clicking Config -> Database.

• Fixed a bug with the conversion of v7 MySQL databases to v8.

• Fixed a bug where Sawmill did not see files in an FTP log source, in some circumstances (especially, when accessing a Microsoft FTP server).

• Fixed a bug which could cause an error when viewing the Single-page summary with a session field filter.

New features in 8.0.0b4rc2:

• Improved performance of filtered reports.

Version 8.0.0b3rc3, shipped November 23, 2008

• Fixed an uninstaller bug where the Sawmill 8 icon remained on the desktop after uninstall.

• Fixed/improved the progress display for database builds, so it includes all steps, and shows better descriptions of each step.

• Fixed a bug with v7-to-v8 profile converter, which did not set up the database tuning options properly, resulting in an error when viewing the Database section of Config.

• Fixed conversion of v7 MySQL database in the import wizard.

• Fixed a bug where Sawmill could not see files on a Microsoft FTP server.

• Fixed a bug which could cause an error when zooming on session fields, and displaying reports generated without cross-reference tables.

• Fixed a bug where indices were completely rebuilt after database updates; they are now properly incrementally updated from the new new data.

• Fixed a bug which could cause a "duplicate key" error when viewing reports from a MS SQL database.

• Added support for input of "node" licenses through the web interface.

• Fixed bug where the database build would fail if no entries were accepted.

• Fixed error which could occur when building from Microsoft Media Server logs.

• Fixed a bug where CSV export in CGI mode had a broken link for the CSV file.

• Fixed a bug which could cause an error when building a database from Ironport S-Series logs.

• Fixed a bug where references to non-existent template pages would give an error "no node 'templates' in 'templates'".

• Fixed the timestamp of emailed reports sent from Windows.

New features in 8.0.0b3rc3:

• Improved performance of a common type of query on in internal database.

• Reduced memory required by xref builds and other queries.

Version 8.0.0b2rc5, shipped November 19, 2008

• Fixed bug which would cause a database build to abort with an error, if the -v f option was used, and a log field value contained a $.

• Added ODBC driver manager libraries used by the x64 Linux (ES5) version, to eliminate a "libodbc.so not found" error.

• Fixed a bug where "start time" and "end time" were formatted and named incorrectly in imported MySQL profiles.

• Fixed a bug where some images were broken in CGI mode.

• Fixed a bug where command-line authentication did not restrict profiles or permissions properly.

• Fixed a bug where a "garbage" line appeared at the top of printer friendly pages.

• Fixed a bug where the Database Info page would generate an error if the database no longer existed.

• Fixed a bug which would cause an lang_stats error when reporting on PIX logs.

• Fixed a bug which would cause an error when using "log processing threads" > 0 in Advanced tier.

• Fixed a bug which could cause an error with Log Detail, for certain datasets.

• Fixed a bug where CGI mode did not display reports.

• Fixed an installer issue where a necessary DLL (libeay32.dll) was not installed properly on 64-bit Windows.

• Fixed a bug which would cause an error when filtering on items containing a backslash.

• Fixed a formatting problem of the date in the licensing page.

• Greatly improved performance of filtered reports which must query the main table.

• Fixed a bug where the Cross Reference Groups editor showed "undefined" next to all numerical fields.

• Fixed a bug where the Session Exits field did not have a default "Session field" value in the report fields editor.

• Fixed a bug where the charset could not be changed in the Log Processing options.

• Fixed a bug where password were not masked when entering SQL database information.

• Fixed a bug where the Send Email window in the Scheduler incorrectly asked for an "output directory."

• Fixed a bug where the Import Wizard did not report the error message, in the case of an import failure.

• Fixed a bug where the text "Saving..." appeared below (or above) reports, and messed up the zoom formatting somewhat.

Version 8.0.0b1rc3, shipped August 07, 2004

New features in 8.0.0b1rc3:

• Changed the GUI concept from html frames to single pages.

• Added report fields for more flexibility and fine tuning of report elements and table data.

• Added a simplified date_filter syntax (i.e: 2m, last2m, etc.) for date/time filtering.

• Added a new caching system which caches various report components and database data independently.

• Added RBAC (Role Based Access Control)

• Added support for sequential actions per schedule in scheduler.

• Added a "Run Now" button in the Scheduler, to run any task immediately.

• Added log fields editor

• Added database fields editor

• Added session fields editor

• Added report fields editor

• Added new field wizard (which allows to create a log field, database field and report field at once)

• Added URL support to view reports by URL definition by defining: profile name, report name, date filter, filter expression, filter comment

• Added support to view any hierarchical depth of a hierarchical database field as non-hierarchical report. This allows i.e.: to view a months report or a region or city report. (These reports have been added by default)

• Added the calendar as optional report.

• Added support to dynamically create a pivot table within the reports GUI

• Added support for different sort field and sort direction of the drill down field.

• Added support to drill down data on a table with multiple string fields.

• Added a new date picker which combines single date, date range and relative date selection.

• Changed the zoom concept in that zoom automatically adds the zoomed item to filters.

• Added support to zoom to multiple items at once.

• Added support to save filter items as filter group

• Improved the filters editor.

• Added support to email a report within the reports GUI

• Added support to define the row numbers and aggregation rows when exporting a table within the reports GUI

• Added min and max aggregation rows to tables.

• Added a row_visibility_expression per report element. This expression allows to show/hide table rows by an expression, i.e. show only rows where page_views > 300 and page_views < 1500.

• Added support for a default date filter per profile.

• Added support for a date filter per report or per report element.

• Improved the Customize Report Element form/options.

• Added table column info support.

• Added table row selection support (to mark a row in yellow color).

• Added support for 3D pie charts

• Added support for antialiased PNG graphs

• Added support for use of MS SQL or Oracle databases as back-end databases (where processed log data is stored, and reports generated from).

• Added support for use of MS SQL, Oracle, or MySQL database as log sources

• Implemented multiple scalability improvements, to allow Sawmill to process log data with less memory usage. These largely lift the restrictions of log processing on 32-bit systems, so any amount of log data can be processed without exceeding the address space of a 32-bit system.

• Added real-time reporting. Reports can be generated while data is being imported, and will be up-to-the-moment, based on the latest imported data. Data can be streamed continually into the database, without any reporting downtime.

• Implemented major SQL performance improvements, especially in the building of cross-reference tables, and in the performance of database update.

• Enhanced the internal database to support SQL syntax, for universal SQL querying of any Sawmill database.

• Added support for reading log data from a SFTP server

• Added directory recursion on (S)FTP servers, so a log source can point to a directory, and all subdirectories will be processed.

• Added filtering of reports on numerical fields; e.g., show all events where bytes > 1000

• Implemented multiprocessor splitting of report queries: report calculations are split across multiple processors for better performance.

• Enhanced multiprocessor and multi-system log processing. Log process is now done more efficiently on a single system, and does not use the disk as much; and it is also possible to split log processing across multiple "parsing servers" on the same network.

• Added database import and export.

• Added support for user-created actions (-a options), with fully customizable parameters and behavior.

Version 7.2.15, shipped May 16, 2008

• Fixed bug in the Helix Universal Server (Style 5) Log Format where the File Time field was being treated as milliseconds while the Sent Time field was being treated as seconds. According to documentation at real.com, both fields contain times expressed in seconds.

• Fixed a bug which could cause a crash (which would appear in the Sawmill GUI as a hang) when autodetecting data on an FTP or HTTP server.

• Fixed memory leak which could occur in various circumstances; the specific known circumstance occurred when building a database from a profile with more than 1500 log sources, which caused more than 1GB of memory to be used.

• Fixed a bug where the number of visitors could be overstated by 1 in Microsoft Media Server log format.

• Fixed a bug in the Critical Path POP3/IMAP plug-in which could cause an error when creating a profile.

• Fixed a bug where the "day of year" and "week of year" fields split the day at 23:00, instead of 0:00, on days under daylight savings time.

• Fixed a bug subtable Table options were not saved and restored properly, when editing a "table with subtable" report in the report editor.

• Fixed a bug in RACF Security log format, which prevented it from importing the final record in a file.

• Fixed a bug in RACF Security log format, which prevented it from importing lines where the username contained no spaces.

• Fixed a bug IronPort C-Series parsing, where SBRS rejects were not reported.

• Fix incorrect reporting of sessions in the Flash Media Server plug-in by only creating session events when x-event eq disconnect and x-category eq session.

• Fixed bug in Sidewinder analysis (logged to firewall) which caused incorrect dates when there was a date= field listed.

• Fixed a bug where certain filters (especially, ORs of "within" filters) could cause main table scans, when they could have been handled by xrefs. This made some filtered reports slower than they should have been.

New features in 7.2.15:

• Enhanced Sawmill.app (on Mac) to detect when there is a running installation of Sawmill already, and give an appropriate error message (rather than hanging while it waits to bind to the port).

• Deprecated the "maximum CPU usage percent" option. The option never worked very well, and has done absolutely nothing since Sawmill 7.0.0, so it serves no purpose. Instead, use operating system priorites to minimize the impact of Sawmill's CPU usage on other processes.

• Added support for CP Secure Content Security Gateway log format.

• Added support for a new version/variant of Aruba Wireless Switch.

• Added tracking of "Context" lines in Citrix Netscaler log format.

• Added support for Unix Auth log format.

• Added support for Unix Cron daemon log format.

• Added tracking of VOF quarantine lines in IronPort C-Series logs.

• Added reporting of Amavis information in Postfix logs.

• In the Kiwi YYYYMMDD Comma Syslog plug-in, added stripping of double quotes from around the syslog message since these can break autodetection. If the message is quoted, the plug-in also now changes doubled double quotes back to single double quotes. Doubling is the way Kiwi escapes them.

• Added support for a new FortiGate 100 Firewall format with additional fields to the FortiGate Comma Separated Log Format plug-in.

• Added support for Symantec Gateway Security Log Format (via syslog).

• Added alias domain reporting to Microsoft Exchange 2000 log format.

• Added support for automatic charset conversion of search engines which do not use UTF-8 in their search URLs (specifically, Yandex).

• Added reporting of MailScanner lines in Postfix log data.

• Added a new plug-in to support the SNARE Epilog Collected Oracle Listener log format. The plug-in was contributed by a Sawmill user.

• Expanded the plug-in for the Nortel Meridian 1 Automatic Call Distribution (ACD) log format to include some additional fields from the logs and an additional graph in the Date/Time reports.

• Added session analysis to the Flash Media Server plug-in for the purpose of reporting the Maximum Concurrent Connections.

• Added support for the Users field and a Unique Users numeric field to the Proxy Plus log format plug-in.

• Added support for Tipping Point SMS Log Format.

• Added reporting for ARP request and ARP reply lines in Cisco VPN Concentrator.

• Added support for AspEmail (Active Server Pages Component for Email) log format.

• Fixed a problem with Cisco VPN Concentrator log format, which caused certain "disconnected" lines to be ignored.

• Added support for tracking/reporting of the usr field in SonicWall format.

• Changed label for the Barracuda Spyware Firewall Log Format plug-in to Barracuda Spyware Firewall / Web Filter Log Format to reflect new product name. Added support for standalone (no syslog header) format. Added support for lines where the action is "sniff" instead of "httpscan". Added Action report.

• Made extensive changes to the Anti-Spam SMTP Proxy (ASSP) log format plug-in. Messages, which are described on multiple lines of the log, are now captured in one database entry so reports are more clear and counts are more accurate. These changes apply to log formats for 1.3.3.1, 1.3.3.8 (and in between, presumably, though they have not been tested). Reports for earlier versions of ASSP that have a different log structure are not changed.

• Enhanced the JBoss application server plug-in to support a slightly variant.

Version 7.2.14, shipped March 26, 2008

• Fixed a bug in the IceCast Log Format plug-in where the User Agent field was not being set causing the fields that are derived from it, such as Web Browser, to be empty.

• Fixed a date/time parsing bug in Barracuda Spam Firewall, where some lines were reverting to the syslog collected date/time instead of the Barracuda's date/time.

• Fixed a bug in the FirePass SSL VPN Log Format caused by an incorrect variable name. The bug would only have been seen if lang_stats.cfg did not have the firepass_ssl_vpn status code mapping section.

• Fixed a memory leak which could cause very high memory usage when building a MySQL-based database from a database with many unique values in one or more fields.

• Fixed a bug in the Unix Syslog With Year plug-in where the syslog message was being lost.

• Fixed a bug which could cause an error in various circumstances (but usually when building a database) on 64-bit Windows, when one of the mapped files in the internal database exceeded 2GB. This is rare, but can happen to the indices if the "main table segment size" option is set to a very high value.

• Fixed a bug in the parsing regular expression where the report of multiple Stats or square brackets in the client_info field would cause the entry to be rejected.

New features in 7.2.14:

• Changed the IceCast Log Format plug-in to get the duration in seconds from the duration field instead of calculating the duration from the size and an assumed speed. Apparently the duration field was not available at the time the plug-in was first created so a workaround was used.

• Enhanced Ironport C-Series plug-in to extract more information about antivirus scanning.

• Added support for charset conversion on 64-bit Windows.

• Enhanced Tipping Point IPS log format to handle log lines generated by the 2.4.3 firmware revision.

• Added support for OpenVPN log format.

• Added support for CRYPTO lines in Cisco PIX/IOS/etc. format.

• Added a new "Save To Menu" button to the Reports page, to save a filtered report directly to the reports menu.

• Added support for a format variation with a date as well as a time to the Windows 2003 DNS Log Format plug-in and increased the flexibility of the autodetect regular expression.

• Added support for Tipping Point 2.5.3 log format.

• Improved performance of hierarchy builds for MySQL databases. With this change, the time to build the hierarchies for a specific database with 16 million unique IPs dropped from 2:15 hours to 0:40 hours.

• Added a new profile option, "Use Overview For Totals." This option controls a recent new feature, which computes the Total rows of report using an Overview report. In recent versions (since 7.2.10), this option has always been turned on; with this version, it is optional, and disabled by default. Turning this option on gives correct totals of "unique" and calculated columns in tables, and correct percentages for unique rows, if they are shown, but can severely hurt performance for some very complex reports, when the "remove parenthesize items" option is turned off for the report. Even under normal circumstances, this option makes two times slower. So as of this version, this option is off by default, and the Totals row is computed by summing the table by default. When this option is off, unique columns will show a dash in the totals row and calculated columns will show a zero.

Version 7.2.13, shipped February 21, 2008

• Fixed a bug which could prevent scheduled tasks from running.

• Restructured the plug-in for the NetScreen Log Format in order to improve performance and fix a bug where a variable that was set if the log line matched the supported format was being accessed whether it matched or not. Also improved performance by omitting the message field where the message consists of key/value pairs that are extracted into other fields.

New features in 7.2.13:

• Enhanced "LogSat SpamFilterISP Log Format B500.9" to support a slight variant.

• Renamed the field/report message_id to queue_id in the Postfix Log Format plug-in and added a report for actual field actually called message-id in the logs. Improved the efficiency of mapping from the spamd mid field the the postfix message-id field. (There was existing limited support in this plug-in for reporting on spamd along with Postfix where they are logged to the same syslog.)

Version 7.2.12, shipped February 15, 2008

• Fixed two bugs in the bytes and stream bytes calculations in the Flash Media Server Log Format plug-in where typos caused an error in the results and caused an error message if the log didn't have the c-client-id field.

• Fixed a bug in NetCache NetApp 5.5 format, where date/time values would not be parsed correctly for MySQL databases.

• Fixed a bug which could cause a checksum error when accessing the web interface, if there were unknown CFV files in the templates folder. This could happen when upgrading from an earlier version of Sawmill.

• Fixed a bug with Apache Combined which would show all 0's if hits was not selected.

• Fixed a bug with Ironport (mail) format, where multi-RID messages would be reported as a list of RIDs, instead of being reported as each indiviual RID.

• Fixed parsing problem in cases where parse_only_with_filters was false, but parsing filters use accept/collect.

• Fixed bug where backslashes in wildcard expressions were treated as escapes, instead of being treated as literal backslashes.

• Fixed a bug in Cisco NetFlow (flow-export) format, where the total rows were incorrect for some fields, on some platforms.

• Improved the efficiency of connection tracking for the Maximum Concurrent Connections report in the Cisco Wide Area Application Services (WAAS) TCP Proxy Log Format plug-in because it was causing performance problems during the database build.

New features in 7.2.12:

• Added a mime_types.cfg file in LogAnalysisInfo/miscellaneous, which lists the filename extensions and corresponding MIME types recognized by the built-in web server (previously, this was hard-coded and uncustomizable).

• Improved the efficiency of tracking bytes and stream bytes totals in the Flash Media Server Log Format plug-in because the current method caused performance problems during database build. The old method used nodes and the new method uses set_collected_field where collected entries expire if they are not accepted. The trade off is the small risk of skewing results if there are very long connections. The number of log lines after which to expire the collected entries can be adjusted.

• Added support for the Mirror Image Flash Media Server Log Format.

• Added support for Bomgar Box log format.

• Fixed bug where "-v f" output would generate an error if log filters used replace_first() or replace_last().

• Added support for FirePass SSL VPN Log Format.

• Added support for Cisco IPS log format.

• Enhanced SafeSquid plug-in to handle the new Extended format from 4.2.1+.

• Added support for Sophos Web Appliance.

• Added facility/severity/mnemonics fields to Cisco PIX.

• Added a report for Maximum Concurrent Connections to the Cisco Wide Area Application Services (WAAS) TCP Proxy Log Format. This report is based on keeping track of a count open connections for each device.

• Added support for McAfee Secure Messaging Gateway (SMG).

• Added support for non-AM/PM times in Windows NT4 Event Log Format (save as-CSV).

• Added support for Guardix Log Format (IPFW).

• Added support for a new variant of IIS SMTP W3C logs.

• Enhanced Exim 4 log format support to handle a variant.

• Fixed a bug in Syslog NG (no zone) to remove leading space from syslog message.

• Greatly improved performance of "NOT" report filters in most cases, when using the internal database. This is particularly important because as of 7.2.11, any report which omits parenthesized items (which is most of them) uses a "not" filter implicitly. This especially affects large databases. In one example, it increased the speed of the "day of week" report from 5 minutes to 12 seconds.

• Enhanced dumpel log format to show event code categories and descriptions for common event codes.

Version 7.2.11, shipped November 30, 2007

• Fixed a bug where the "omit parenthesized items" option did not work for the session users report.

• Fixed a bug where log data with repeated $ characters in it could cause a crash, if the "f" option was used for -v for a command-line build.

• Fixed a bug which could cause an error when rebuilding database hierarchies with "-a rdh".

• Fixed a bug which could cause the error "Expression not supported by field limits (OR across fields)" when using certain advanced filter expressions in the web reporting interface.

• Fixed a bug where matches_regular_expression would not set $N variables above $M, if $M was not defined by the expression, e.g. through the use of ()? or ()*.

• Fixed a bug in the "beta" IronPort plug-in, which could cause very high memory usage during log processing.

• Fixed a bug which would cause incorrect durations to be reported when the "date offset" option was used with Shoutcast W3C.

• Fixed bug where DNS lookup would attempt to lookup "..." as though it were an IP address, resulting in DNS errors.

• Fixed a bug in "create many profiles" which would cause an error like "Couldn't find node 'clone1' in profiles" if the profiles to be created did not already exist.

• In the Flash Media Server Log Format plug-in, corrected calculations for sc_bytes, sc_stream_bytes and cs_stream_bytes, based on the way cs_bytes was calculated. Because the log keeps a running total of these values, the previous accumulated value must be subtracted from the current value for each event to prevent a huge, incorrect total from being shown in reports. Also restored the fix where the filters that do these calculations use c_ip where c_client_id is not available.

• Fixed a bug which caused FTP log source error messages in cases where the server split single control response lines into multiple packets (uncommon).

• Improved the efficiency of the bytes and stream bytes calculations in the Flash Media Server Log Format plug-in because they were hurting the performance of database builds.

• Made autodetection more restrictive in the Apache/NCSA Combined Format With Cookie Last plug-in in order to prevent other log formats from autodetecting as this one.

• Fixed bug with flash media server logs which could cause an error during database build, if the stream_duration field was not checked when creating the profile.

• Fixed bug which would cause an error with Netscape logs when there was no page field logged.

• Fixed a bug where session reports did not work in a profile without a "page" field, when using a MySQL database.

• Fixed bug which could cause crashes during long log processing, or during long database updates, involving many files.

• Fixed a bug where clicking Browse would cause an error if a CSV filename was in the field.

New features in 7.2.11:

• Enhanced the Barracuda Spyware Firewall plug-in to extra domain, category, and username fields, when availiable.

• Enhanced Net-Acct to handle a variant.

• In Syslog NG, added support for dates in the format "2007-08-23T15:02:28+02:00".

• Added support for Windows Event Log (comma or tab delimited, no am/pm, 24h & ddmmyyyy) Log Format.

• Enhanced NetCache NetApp support to recognize version 6 logs.

• Added support for hMailServer log format.

• Improved Filezilla Server format to support single-digit months and days.

• Renamed all formats and plug-in files with "beta" in the name because process of identifying stable plug-ins is changing.

• Enhanced ASSP log format: Added support for 1.3.3.1 logging (almost complete rewrite); added support for old logging style.

• Enhanced NetCache NetApp 5.5+ format to report streaming log data better.

• Added support for the Cisco Wide Area Application Services (WAAS) TCP Proxy Log Format.

• Moved newly added reports for derived fields to the appropriate groups in the report menu for the Apache Custom Log Format.

• Added an option to display bytes using base-10 (1000-based) units, rather than base-2 (1024-based) units.

• Added support for a new type of node file, ending with .cfga ("configuration group additions"), which is layered on top of its similarly-named .cfg file, to automatically create a node different from the original CFG file, without requiring editing of the original CFG file.

• Added auto-expansion of {==} sections in local log source pathnames.

• Changed the name of the log field error to error_message in order to fix a bug in the Apache Error Log Format plug-in that was introduced by a UI change that causes an error when log fields have the same name as Salang functions.

Version 7.2.10, shipped August 04, 2007

• Fixed a bug in the "beta" plug-in for "Juniper Secure Access SSL VPN Log Format" where user agent information was not being extracted properly.

• Added support to the Kiwi Syslog (ISO/Sawmill) plug-in for repeated lines if Unix Syslog (only one format variant so far) is logged to Kiwi Syslog.

• Fixed a bug where database deletion (and profile deletion) would fail on Unix or MacOS systems, if the database directory contained a file starting with a period.

• Fixed a bug which would cause a crash during log processing, when processing gzip files which were corrupt in certain ways (valid gzip files cause no problems).

• Fixed a bug where {= =} or $ sections were not handled properly in the output directory option of the Scheduler, while generating HTML reports.

• Fixed a bug which would cause an error when clicking an individual session in the Individual Sessions report, when using a MySQL database, with any log format where the session visitor ID field is not called "hostname".

• Fixed a bug which could cause an "empty node error" when processing Symantec AntiVirus Corporate Edition logs, if the encrypted time field was less than 12 characters long.

• Fixed a bug in the BETA IronPort plug-in, where if the log was not generated through syslog, and contained a timestamp header, all entries would be discarded.

• Fixed a bug in the BETA IronPort plug-in, where if there was no "log" tag in the data, all entries would be rejected.

• Fixed bugs in the Watchguard XML Log Format plug-in: Fixed bug in filter add_dstname_arg where wrong field name was used and url was not found. Changed filter to not concatenate dstname and url (arg) if either is empty. Mapped field names rcvd_bytes and sent_bytes to recv and sent since at least one format variation has these instead.

• Fixed a bug which caused an error when using { or } characters in wildcard expressions.

• Added BETA support for Visonys Airlock log format.

• Fixed a bug where database builds could repeat, in CGI mode, building over and over, if Talkback was turned on.

• Fixed the "beta" Barracuda spam firewall plug-in to track logging devices.

• Fixed a bug with Sawmill's encoding of MIME emails (HTML reports) which could cause Amavis (and possibly other spam filters) to flag Sawmill's report emails as spam.

• Fixed a bug where the filters for Remove Database Data were not logged correctly to TaskLog.

• Fixed a bug which would cause an error ("Unable to delete file seendata") when doing a multiprocessor build, if the dataset was very small (less than the size of thread_data_block_size, which is 1MB by default).

• Fixed a bug where the session duration did not match the play duration, in Microsoft Media Server analysis, if there was a custom log filter on the cs_uri_stem field.

• Fixed a bug in Microsoft Media Server plug-in, where session durations would be reported incorrectly if a date offset was specified in the profile.

• Fixed a bug which caused an error when building a MySQL database, if the profile contained a field called connection_id.

• Fixed a bug which caused the TaskLog entry from a database build or update to report the bytes processed in the last log source, rather than the full bytes processed.

• Fixed a bug where profiles would not be removed properly from non-administrative users, if the username contained unusual characters, and command-line authentication was used.

• Fixed a bug which causes an error "Expression not supported by field limits (OR across fields)" when using complex filters on the Overview.

• Fixed a bug which could cause duplicate rows in report tables, for very large datasets.

• Fixed a bug which were command line execution would fail quietly, without doing anything, if there was no valid license installed.

• Fixed a bug in the beta NetScreen format where a key value pair on a line with no logging category could be placed in the category field.

• Fixed/enhanced the beta Postfix format to reduce memory usage, and improve performance with large datasets.

• Fixed bug in the beta IIS SMTP W3C Log Format where some data could carry over from earlier connections for the same Client IP.

• Fixed a bug in the IronPort Log Format (BETA) where aborted entries were not being accepted.

• Fixed problems with rekeying and duration tracking in "CT Mod 10 Nortel Contivity Log Format". (Note that there is an improved version of this plug-in called "Nortel Contivity Log Format (BETA)".)

• Fixed a bug which would cause an error in a report, if you removed the column in the Report Editor which was the "sort by" column.

• Fixed a bug which could cause errors when exporting CSV reports from the web interface, in CGI mode.

• Changed name of plug-in "Microsoft ISA WebProxy Log Format (W3C)" to "Microsoft ISA Server Log Format (W3C)" to reflect correct product name (ISA Server replaced ISA Proxy). Fixed bug in and simplified autodetection. Added new possible W3C fields to groups to organize reports menu.

• In the Quicktime/Darwin Streaming Server Log Format, changed type of x_duration and all fields with pkt in the name (packet fields) to float to handle large values.

• Fixed a bug where Windows error messages containing "\" would be displayed without the "\", or Windows error messages containing "\t" would be displayed with "__TAB__" in place of "\t".

• Fixed a bug where the Log Detail showed 12-hour times instead of 24-hour times, when using a MySQL database.

• Fixed a performance problem where processes waiting to access files locked by other processes would use CPU, instead of waiting quietly.

• Fixed a bug which could cause crashes during report generation.

• Fixed a bug which would cause authentication failures on Windows, if the password contained a & character.

• Fixed a bug where the number of session users was miscounted in Session Overview report, resulting in one fewer one-time users being reported than there actually were, or one fewer repeat users being reported than there actually were.

• Fixed a bug where values formatted with "duration" format (the long duration format) would end in commas if there were 0 seconds.

• Fixed a bug in IronPort where log entries would be rejected if the "log file" field contained a space.

• Fixed a bug where static report could be generated while a database was being updated, resulting in erroneous reports.

• Fixed a bug with Blue Coat W3C, which caused a bogus report to be created when certain fields were missing, causing an error when creating a new report.

New features in 7.2.10:

• Added report group for "Security" related reports to menu to beta "SonicWall or 3COM Firewall Log Format".

• Added beta support for version 2.9.8 to the DansGuardian 2.9 Log Format.

• Added beta support for Sun ONE Directory Server 5.2. It is greatly enhanced from the Netscape Directory Server Log Format, but should continue to work with Netscape Directory Server 5.1.

• Enhanced IIS SMTP W3C Log Format: Added support for a new log format variant; Added operation and server_response fields and connect/disconnect counts.

• Added "BETA" support for the Foundry Networks Log Format. This plug-in is based on the Foundry Networks BigIron plug-in and maintains support for BigIron while adding support for ServerIronXL.

• Added "BETA" support for the Merak SMTP Log Format. Support is added for a format where the date is taken from the log file name and is not found in the log. Backward compatibility is maintained with the version supported by the existing Merak SMTP plug-in.

• Enhanced praudit "BETA" plug-in to handle a single digit day in the date and simplified autodetection.

• Enhanced the "beta" plug-in for "Juniper Secure Access SSL VPN Log Format": Improved session tracking by identifying more events which could be considered the end of a session. This will result in a more accurate "Maximum Concurrent Sessions" number.

• Enhanced the plug-in for the Aventail Web Access Log Format to allow syslog and to strip layered syslog entries in the case where Unix Syslog logs to Kiwi Syslog. (Non-syslog logs are still supported by selecting "no syslog header" as the syslog type.)

• Enhanced Watchguard XML plug-in to handle a few new fields.

• Added support for ichain format.

• Added support for a slight variant of Cisco VPN Concentrator.

• Added "beta" support for the ipop3d Mail Daemon Log Format (BETA).

• Added support for some types of "crashinfo" events for Cisco PIX/ASA/Router/Switch Log Format (BETA).

• Improved FreeRADIUS to support all-capital month names.

• Enhanced support for the Firebox x1000 format (among possible others) in the Watchguard Log Format plug-in. More types of TCP flags and lines with multiple TCP flags are now supported. A file with flags on all lines will now autodetect. The field "parameter" is now called "flags" to reflect its actual use.

• Added support for version 5.2 to the Aladdin eSafe Sessions Log Format v5 plug-in and split the field "File Name\Mail Subject" field based on value of File Type, that is, if there is a file type, assume it is a file name, otherwise it is a mail subject.

• Enhanced the Zyxel Firewall WELF Log Format to support newlines in the "msg" field. Without this support, information, such as Anti-Virus info, that followed the "msg" field was lost.

• Increased number of lines examined during format auto-detection to 100 in "Oracle Listener Log Format".

• Enhanced Symantec AntiVirus Corporate Edition plug-in to rewrite several additional fields to human-readable values.

• Added enhanced error detection and reporting during Send Bug Report, so errors contacting the SMTP server to send a bug report, or other errors during the process, are reported in the web browser page when the bug reportis submitted.

• Enhanced the "Novell iChain Extended (W3C) Web Server Log Format" plug-in.

• Enhanced the Amavis log format plug-in.

• Enhanced the Apache Combined (syslog required) log format plug-in to handle a slight variant.

• Added parsing of Anti-Spam and Anti-Virus log lines to the NetScreen Log Format (BETA).

• Enhanced Filezilla Server format to handle a new variant.

• Enhanced IIS SMTP W3C format to include bytes transferred.

• Changed field name "hits" to more accurate "events" in "Oracle Listener Log Format".

• Added beta support for the IBM Tivoli NetView Log Format.

• Added support for SurfControl "URL BLOCKED" entries to the beta NetScreen Log Format.

• Added support for a new variant of EIMS SMTP (24 hour) Log Format.

• Enhanced the "beta" postfix plug-in to handle a slight variant.

• Improved Limelight plug-in; added better field labels.

• Enhanced the "beta" IIS SMTP W3C Log Format to support another format variant. It now collects the server response from server response lines or from the sc-status field, whichever is available. It also now collects client-to-server bytes and server-to-client bytes from DATA and BDAT operations.

• Enhanced the Juniper Secure Access SSL VPN Log Format (BETA) plug-in to allow users to configure the Host Checker rule and policy names for which passes and failures are counted.

• Added "beta" support for the BroadWeb NetKeeper Log Format.

• Added url field and associated derived fields and log filters to the Juniper Secure Access SSL VPN Log Format.

• Added support for a log format variant that has no "Incoming client version" lines to "CT Mod 10 Nortel Contivity Log Format". (Note that there is an improved version of this plug-in called "Nortel Contivity Log Format (BETA)".)

• Added support for a log format variant that has no time stamp to "Nortel Contivity Log Format (BETA)". (Note that there is an earlier version of this plug-in called "CT Mod 10 Nortel Contivity Log Format".)