Intersect Alliance Snare

Sawmill plug-ins allow Sawmill to read ASCII text based logs that are saved to a folder Sawmill can read locally (including mapped/mounted filesystems) or available remotely via (S)FTP and HTTP. Additionally an ODBC connection to an Oracle or MSSQL instance is possible. Alternately (or for advanced users) there is a command line option that allows a script or program to feed data into the Sawmill processing engine.

This plug-in provides analysis support within Sawmill for the above named log format. Using this plug-in Sawmill will be able to read and interpret log files in their original format and perform analysis, reporting and alerting based on the data contained within them. If Sawmill does not perform quite as expected it is possible the original vendor has changed the logging specification. Contact support@sawmill.co.uk providing details and a sample of the log file.

During importing of log data the following fields are stored in the Sawmill database for subsequent processing and report generation:

Back to All Formats List

Numeric Fields

  • events

Non-Numeric Fields

  • event code
  • type
  • category
  • username
  • server name
  • action
  • domain
  • logon ID
  • logon GUID
  • logon type
  • logon process
  • authentication package
  • workstation name
  • new process ID
  • process ID
  • creator process ID
  • image file name
  • caller user name
  • caller domain
  • caller logon ID
  • caller process ID
  • transited services
  • source network address
  • source port
  • primary user name
  • primary domain
  • primary logon ID
  • handle ID
  • target account name
  • target account ID
  • target domain
  • privileges
  • accesses
  • restricted sid count
  • access mask
  • object server
  • object type
  • object name
  • operation ID
  • client user name
  • client domain
  • client logon ID
  • member name
  • member ID
  • server
  • service
  • name
  • path
  • identifier
  • user account
  • user domain
  • rpc_server
  • ip_version
  • IP protocol
  • port number
  • allowed
  • user_notified
  • subject
  • Security ID
  • account name
  • Account Domain
  • group
  • group name
  • group_domain
  • changed_attributes
  • member
  • additional_information
  • event type
  • level
  • event description
  • computer name
  • subcategory