1. The sensor can only be configured to ftp the alarm log files. It can not be configured to ftp the iplog files.
2. The sensor (the sapd daemon) will monitor the /usr/nr/var/new directory (it checks about once every 30 seconds or so). As soon as it sees one or more log files in that directory it will ftp the oldest log file off to the ftp server. So if there is more than one log file it will ftp the oldest.
How to check if the ftp functionality is working:
a) Check the errors.sapd file in /usr/nr/var for any possible errors.
b) Check the different messages.* files in /usr/nr/var for any possible errors.
c) Execute nrget 10007 [hostid] [orgid] 1 FileMgmt
Where hostid is the sensor's numerical hostid.
Where orgid is the sensor's numerical orgid.
Example: nrget 10007 10 100 1 FileMgmt
Check to see if the trigger for the ftp is being executed and if an error count is shown for the trigger.
d) Login as root and execute "snoop -d [interface] [sensorip] [ftpserverip]"
Where interface is the command and control interface of the sensor
sensorip is the sensor's command control ip address
ftpserverip is the ftp server's ip address.
Example: snoop -d iprb0 10.1.1.1 10.3.4.5
Look to see if the ftp may be failing because of a bad password or any other possible error.
Occasionally you may see the ftp connection just stop. In this case the sensor may not have received the response it was expecting. The sensor will work with most standard ftp servers, but there are a few (mostly freeware ftp servers) which the sensor will not work with. These ftp servers respond in a way that the sensor can not understand.