4255 Application-log

Unanswered Question
Jul 31st, 2009
User Badges:

Our application-log on our 4255 running 7.0(1)E3 is showing 96% full. I don't see any GUI or CLI commands that pertain to the application-log. What is it and how to you clear it?


Craig

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
marcabal Fri, 07/31/2009 - 12:07
User Badges:
  • Cisco Employee,

The application log is the name given in "show ver" for the /usr/ids/idsRoot/var/iplogs partition which for the IPS-4255 is stored in RAM.


On an IPS 4255 the system will automatically create a RAM disk for the partition on bootup, and then the sensor processes will automatically create 512 IPLOG files in the directory.

These 512 files are originally written with empty data, but take up a full 1000000 bytes each.

So these 512 files will automatically fill up the parition 96% full on an IPS-4255.

There are no CLI commands to change this, and none are needed to clean it up. It will always be 96% full.


As new IP Logs are created (in response to the packet log event actions) it will start writing packet data into these 512 IP Log files. When all 512 are full of packet data the sensor will automatically start overwriting the oldest file. So there will always be 512 files and always take up 96% of the partition.


On other sensor models the % used will differ because either the partition size is smaller or larger, and there are smaller or larger number of IP Log files that the sensor creates and uses.


There is no supported method for clearing the IP Logs.

The box can be rebooted in which case all stored information in the IP Logs are lost (remember they were in a RAM disk), and 512 new emtpy files will be created.



SaurabhSrivastav_2 Fri, 06/04/2010 - 01:23
User Badges:

Hi Marcabal,


I am also facing the same issue in my IPS 4260. please confirm if you have any reference in cisco documents.


Regds,

Saurabh

Scott Fringer Fri, 06/04/2010 - 04:18
User Badges:
  • Cisco Employee,

Saurabh;


  The application-log is automatically maintained by the sensor operating system.  There is no direct method to clear this partition, and the operating system will overwite it as necessary.


Scott

Actions

This Discussion