IPS logging turning over every few hours??

Answered Question
May 21st, 2007

For an initial install I have configured to log all attacker/victim pair packets investigating events in detail and not meant to be on all the time. It will be turned off to see if this reduces the amount of storage space that is being consumed so we can monitor events for a longer period of time, but I have a question on this.



Does the Event Store Wrap (in show stat event-store output) indicate the logging wrapping I am seeing?


If so, is there a way to monitor the memory availability for the store itself so I can see what affect different settings have on available logging memory?

IPS# show statistics event-store

Event store statistics

The number of times the event store circular buffer has wrapped = 16

Correct Answer by jamesand about 9 years 9 months ago

The eventStore size starting at version 5.0(1) is a fixed 30 Meg. Its a circular eventStore that is intended to wrap (new events overwriting oldest events). The usual sensor deployment includes some sort of remote event monitor application that pulls events from the sensor. The eventStore acts as a buffer to allow the remote monitoring app to keep up with busy sensors. If your eventStore wraps every few hours then the monitoring app should be able to keep up with all the events being generated. The concern would be if the eventStore continuously wrapped in less than 10 or 15 minutes. At that point you may be loosing events and would need to tune the sensor signature config to only alarm on meaningful events.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.7 (4 ratings)
Loading.
Correct Answer
jamesand Fri, 05/25/2007 - 14:04

The eventStore size starting at version 5.0(1) is a fixed 30 Meg. Its a circular eventStore that is intended to wrap (new events overwriting oldest events). The usual sensor deployment includes some sort of remote event monitor application that pulls events from the sensor. The eventStore acts as a buffer to allow the remote monitoring app to keep up with busy sensors. If your eventStore wraps every few hours then the monitoring app should be able to keep up with all the events being generated. The concern would be if the eventStore continuously wrapped in less than 10 or 15 minutes. At that point you may be loosing events and would need to tune the sensor signature config to only alarm on meaningful events.

hannatest Tue, 06/03/2008 - 16:26

How about the maximum circular buffer size for IP logging?i.e.When does the IP logging overwriting start?


Thanks in advance.

marcabal Fri, 06/06/2008 - 08:26

The memory space for IP Logging is dependant on the particular platform.


Higher performing platforms may have as much as 512 MB reserved for IP Logging, while the lower end may have as little as 128 MB.


You can run a "show tech" on the sensor. In the show tech output you will see a directory listing for the directory /usr/cids/idsRoot/var/iplogs.

It should be a listing of numbered files starting with 00000.

Find the highest numbered file and add 1 (to account for the 00000 file). Each file is 1 MB so the number of files is the number of MB of iplogging space.


When IP Logging starts it will open up the first empty numbered file and start writing the packets into this file. The next IP Log will simply start writing into the next numbered file. Each numbered file will hold only one IP Log so you can only have as many logs as you have files. An IP Log CAN cross into multiple numbered files if the IP Log will be larged than 1 MB, and in which case you will wind up with fewer IP Logs than numbered files.


When all the numbered files have been used, then oldest IP Log will be overwritten when a newer IP Log has started. This circular logging is similar to the circular logging in the eventStore.





Actions

This Discussion