Why doesn't my test POST request get updated in "Data Security Logs" on the Cisco Web Security appliance (WSA)?
Symptoms: "Data Security Logs" aren't updating even though POST requests are being sent through the WSA. "Access Log" are updating and showing the POST requests work properly.
Solution: The size of the POST request, which essentially is the amount of data being uploaded, would determine if the request gets scanned by the on-box data security filters or by external Data Loss prevention (DLP) policies
By default, WSA has a minimum byte size limit of 4096 bytes (4K) for DLP to trigger. This minimum byte size is to avoid false positives from DLP scanning as it avoids uploads like website logins, which are small POST requests.
So any POST request/upload below the 4K limit would not be recorded in "Data Security Logs". However WSA will process the POST request and will record the transaction in "Access Log"
For on-box DLP (Data Security filters) We can change the default scanning limit from WSA CLI using the command: datasecurityconfig
For off-box DLP (External DLP)
We can change the default scanning limit from WSA CLI using the command: externaldlpconfig
The default value for both the above commands is 4096 bytes.