IWI CWAT

Sawmill plug-ins allow Sawmill to read ASCII text based logs that are saved to a folder Sawmill can read locally (including mapped/mounted filesystems) or available remotely via (S)FTP and HTTP. Additionally an ODBC connection to an Oracle or MSSQL instance is possible. Alternately (or for advanced users) there is a command line option that allows a script or program to feed data into the Sawmill processing engine.

This plug-in provides analysis support within Sawmill for the above named log format. Using this plug-in Sawmill will be able to read and interpret log files in their original format and perform analysis, reporting and alerting based on the data contained within them. If Sawmill does not perform quite as expected it is possible the original vendor has changed the logging specification. Contact support@sawmill.co.uk providing details and a sample of the log file.

During importing of log data the following fields are stored in the Sawmill database for subsequent processing and report generation:

Back to All Formats List

Numeric Fields

  • events
  • output file size
  • attach size
  • alert count
  • node count
  • high priority events
  • medium priority events
  • low priority events

Non-Numeric Fields

  • date/time
  • day of week
  • hour of day
  • site ID
  • site name
  • last alert time
  • alert level
  • power on
  • logon
  • power off
  • high
  • medium
  • low
  • pending
  • checking
  • processed
  • no action
  • alert ID
  • alert sequence
  • alert date
  • alert status code
  • alert status
  • process ID
  • thread ID
  • machine time
  • sequence number
  • CWAT node management ID
  • alert IP
  • alert location
  • MAC address
  • flag under OM management
  • process name
  • log number
  • alert type
  • policy ID
  • policy category
  • policy name
  • operation
  • suspicious event score
  • suspicious event day
  • suspicious event time
  • suspicious event score statement
  • node usage type
  • logon user
  • domain
  • bus discrimination ID
  • bus peculiar code
  • device discrimination ID
  • device peculiar code
  • bus status
  • output file size
  • output file name
  • startup shutdown process name
  • window name
  • source file name
  • dest file name
  • install app name
  • dest installation
  • book name
  • keyword
  • screenshot info
  • protocol
  • source port
  • destination port
  • source address
  • destination address
  • sourcemac
  • destination MAC
  • communication type
  • unregistered node IP
  • unregistered node mac
  • last shutdown
  • packet data
  • tampered log name
  • os time after tamper
  • hostname
  • machine alert ID
  • alert event type
  • device name
  • media name
  • application ID
  • recipient
  • CC
  • bcc
  • sender
  • subject
  • send time
  • mail size
  • mail count
  • mail body
  • attachment presence
  • attach name
  • attach size
  • user group
  • keyboard operation
  • clipboard type
  • clipboard information
  • alert status update time
  • record update time
  • action date
  • operator
  • action contents code
  • action contents
  • action result code
  • action result
  • auto mnl action code
  • auto mnl action
  • CWAT standard time action
  • sequence number action
  • alert id action
  • user name action
  • comment
  • update time
  • policy version
  • virus check result code
  • virus check result
  • virus check start time
  • virus check complete time
  • alert month