Introduction
This document describes how to view the logs on the Cisco Web Security Appliance (WSA) from the CLI using the grep command.
How can I view the logs on the Cisco WSA?
CLI
- In order to view the logs from the CLI, connect to the WSA using Secure Shell (SSH). You can use a SSH client like puTTy to do this.
- After logging in to the CLI, enter the grep command. This will bring up a list of the logs on the WSA.
- Type the number of the log subscription to run the grep on and press enter.
- Type the regular expression to grep for, or leave this empty to search for everything, and press enter.
- Type Y or N for the remaining prompts to modify how the grep is run.
Here is an example of how to run a grep to find a particular domain in the accesslogs:
wsa.hostname> grep
Currently configured logs:
1. "accesslogs" Type: "Access Logs" Retrieval: FTP Poll
2. "amp_logs" Type: "AMP Engine Logs" Retrieval: FTP Poll
3. "authlogs" Type: "Authentication Framework Logs" Retrieval: FTP Poll
4. "avc_logs" Type: "AVC Engine Logs" Retrieval: FTP Poll
5. "bypasslogs" Type: "Proxy Bypass Logs" Retrieval: FTP Poll
...
42. "webcat_logs" Type: "Web Categorization Logs" Retrieval: FTP Poll
43. "webrootlogs" Type: "Webroot Logs" Retrieval: FTP Poll
44. "welcomeack_logs" Type: "Welcome Page Acknowledgement Logs" Retrieval:
FTP Poll
Enter the number of the log you wish to grep.
[]> 1
Enter the regular expression to grep.
[]> domain.com
Do you want this search to be case insensitive? [Y]>
Do you want to search for non-matching lines? [N]>
Do you want to tail the logs? [N]>
Do you want to paginate the output? [N]>
GUI
- In order to view the logs from the GUI, connect to the WSA using a web browser on port 8080 (default) for HTTP or 8443 (default) for HTTPS.
- After logging in, click System Administration > Log Subscriptions.
- Click on the FTP link for the log subscription to view.
- Select the log file to view and the output will be shown in the browser.
Note: By default, the WSA uses port 21 for FTP when connecting to the management interface. If this port is changed, clicking on the FTP link from the GUI will fail. In order to correct this problem, add the FTP port for the management interface after the WSA hostname in the URL in the browser.