Download Sawmill 8.8.1
30 Days Free Trial
Home Products Downloads Purchase Support About About
Sawmill Sawmill



Sawmill has plug-ins to support the following log formats:


Sawmill is a IWI CWAT log analyzer (it also supports the 1021 other log formats listed to the left). It can process log files in IWI CWAT format, and generate dynamic statistics from them, analyzing and reporting events. Sawmill can parse IWI CWAT logs, import them into a MySQL, Microsoft SQL Server, or Oracle database (or its own built-in database), aggregate them, and generate dynamically filtered reports, all through a web interface. Sawmill can perform IWI CWAT log analysis on any platform, including Windows, Linux, FreeBSD, OpenBSD, Mac OS, Solaris, other UNIX, and others.

Sawmill stores the following non-numerical fields in its database for IWI CWAT, generates reports for each field, and allows dynamic filtering on any combination of these fields:

Field  Internal Name
   date/time  date_time
   day of week  day_of_week
   hour of day  hour_of_day
   site ID  site_id
   site name  site_name
   last alert time  last_alert_time
   alert level  alert_level
   power on  power_on
   logon  logon
   power off  power_off
   high  high
   medium  medium
   low  low
   pending  pending
   checking  checking
   processed  processed
   no action  no_action
   alert ID  alert_id
   alert sequence  alert_sequence
   alert date  alert_date
   alert status code  alert_status_code
   alert status  alert_status
   process ID  process_id
   thread ID  thread_id
   machine time  machine_time
   sequence number  sequence_number
   CWAT node management ID  cwat_node_management_id
   alert IP  alert_ip
   alert location  alert_location
   MAC address  mac_address
   flag under OM management  flag_under_om_management
   process name  process_name
   log number  log_number
   alert type  alert_type
   policy ID  policy_id
   policy category  policy_category
   policy name  policy_name
   operation  operation
   suspicious event score  suspicious_event_score
   suspicious event day  suspicious_event_day
   suspicious event time  suspicious_event_time
   suspicious event score statement  suspicious_event_score_statement
   node usage type  node_usage_type
   logon user  logon_user
   domain  domain
   bus discrimination ID  bus_discrimination_id
   bus peculiar code  bus_peculiar_code
   device discrimination ID  device_discrimination_id
   device peculiar code  device_peculiar_code
   bus status  bus_status
   output file size  output_file_size
   output file name  output_file_name
   startup shutdown process name  startup_shutdown_process_name
   window name  window_name
   source file name  source_file_name
   dest file name  dest_file_name
   install app name  install_app_name
   dest installation  dest_installation
   book name  book_name
   keyword  keyword
   screenshot info  screenshot_info
   protocol  protocol
   source port  source_port
   destination port  dest_port
   source address  source_address
   destination address  dest_address
   sourcemac  sourcemac
   destination MAC  dest_mac
   communication type  communication_type
   unregistered node IP  unregistered_node_ip
   unregistered node mac  unregistered_node_mac
   last shutdown  last_shutdown
   packet data  packet_data
   tampered log name  tampered_log_name
   os time after tamper  os_time_after_tamper
   hostname  hostname
   machine alert ID  machine_alert_id
   alert event type  alert_event_type
   device name  device_name
   media name  media_name
   application ID  application_id
   recipient  recipient
   CC  cc
   bcc  bcc
   sender  sender
   subject  subject
   send time  send_time
   mail size  mail_size
   mail count  mail_count
   mail body  mail_body
   attachment presence  attachment_presence
   attach name  attach_name
   attach size  attach_size
   user group  cwat_location
   keyboard operation  keyboard_operation
   clipboard type  clipboard_type
   clipboard information  clipboard_information
   alert status update time  alert_status_update_time
   record update time  record_update_time
   action date  action_date
   operator  operator
   action contents code  action_contents_code
   action contents  action_contents
   action result code  action_result_code
   action result  action_result
   auto mnl action code  auto_mnl_action_code
   auto mnl action  auto_mnl_action
   CWAT standard time action  cwat_standard_time_action
   sequence number action  sequence_number_action
   alert id action  alert_id_action
   user name action  user_name_action
   comment  comment
   update time  update_time
   policy version  policy_version
   virus check result code  virus_check_result_code
   virus check result  virus_check_result
   virus check start time  virus_check_start_time
   virus check complete time  virus_check_complete_time
   alert month  alert_month

Sawmill stores the following numerical fields in its database for IWI CWAT, aggregating them and including them as columns in most reports:

Numerical Field  Internal Name
   events  events
   output file size  output_file_size
   attach size  attach_size
   alert count  alert_count
   node count  node_count
   high priority events  high_priority_events
   medium priority events  medium_priority_events
   low priority events  low_priority_events

See Sawmill Features to learn more about Sawmill's options for viewing, customizing, filtering, exporting and scheduling IWI CWAT reports.

Sawmill also supports 1021 other log formats.

© 2024 Flowerfire | Copyright | Privacy Policy | License Agreement | Terms of Use | Contact | Feedback | About
Sawmill Software
Sawmill Software
Back to Sawmill Home