IWSVA stores all logs in raw format in the following location:

/etc/iscan/commonlog_data/log_block/0

You can use a script for converting the data into a readable format. It is possible to process this data further but note that Trend Micro does not supply or support any tool for this purpose.

To convert the raw logs, use the following script:

import sys
import zlib
if __name__ == '__main__':
      i = open(sys.argv[1], 'rb')
      data = zlib.decompress(i.read())
      o = open(sys.argv[2], 'wb')
      o.write(data)
      o.close()
      i.close()

To use the script:

1. Save the script in /root with extension ".py".

   For example: toraw.py

2. Run it using the following command:

   python /root/<scriptname.py> <raw_log_file_name> <output_file_name.txt>

   For example:

   python /root/toraw.py /etc/iscan/commonlog_data/log_block/0/1445862900_6cbf95f2-7bde-11e5-bc6b-005056011094.log text.txt

To understand the format of the raw logs refer to /usr/trend/commonlog/config/schema/log_block/common_id.py.

Open the file common_id.py with a text editor to understand each entry that maps with the readable raw log.