This document describes how to view the logs on the Cisco Web Security Appliance (WSA) from the CLI using the grep command.
How can I view the logs on the Cisco WSA?
- In order to view the logs from the CLI, connect to the WSA using Secure Shell (SSH). You can use a SSH client like puTTy to do this.
- After logging in to the CLI, enter the grep command. This will bring up a list of the logs on the WSA.
- Type the number of the log subscription to run the grep on and press enter.
- Type the regular expression to grep for, or leave this empty to search for everything, and press enter.
- Type Y or N for the remaining prompts to modify how the grep is run.
Here is an example of how to run a grep to find a particular domain in the accesslogs:
Currently configured logs:
1. "accesslogs" Type: "Access Logs" Retrieval: FTP Poll
2. "amp_logs" Type: "AMP Engine Logs" Retrieval: FTP Poll
3. "authlogs" Type: "Authentication Framework Logs" Retrieval: FTP Poll
4. "avc_logs" Type: "AVC Engine Logs" Retrieval: FTP Poll
5. "bypasslogs" Type: "Proxy Bypass Logs" Retrieval: FTP Poll
42. "webcat_logs" Type: "Web Categorization Logs" Retrieval: FTP Poll
43. "webrootlogs" Type: "Webroot Logs" Retrieval: FTP Poll
44. "welcomeack_logs" Type: "Welcome Page Acknowledgement Logs" Retrieval:
Enter the number of the log you wish to grep.
Enter the regular expression to grep.
Do you want this search to be case insensitive? [Y]>
Do you want to search for non-matching lines? [N]>
Do you want to tail the logs? [N]>
Do you want to paginate the output? [N]>
- In order to view the logs from the GUI, connect to the WSA using a web browser on port 8080 (default) for HTTP or 8443 (default) for HTTPS.
- After logging in, click System Administration > Log Subscriptions.
- Click on the FTP link for the log subscription to view.
- Select the log file to view and the output will be shown in the browser.