Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
479
Views
0
Helpful
1
Replies

Send logfile to FTPServer

thanhlv
Level 1
Level 1

‎05-06-2002 02:25 AM - edited ‎03-08-2019 10:32 PM

1.In the Unix Director User Guide, it tells me how to send logfile to a FTPServer. I don'nt know the logfile is an alarm log file or an iplog file? Can Sensor send alarm logfiles to a FTPServer?

2.Although I did as the User Guide told but I could'nt get any logfile in the FTPServer. Under "the condition type", I chose "Number of Files" and I set its value 1. Doing as this, I don'nt know when the Sensor will send the logfiles to FTPServer? Is it right when I say that Sensor will send logfiles when there is only one new logfile in the directory /usr/nr/var/new.

Labels:
0 Helpful
1 Reply 1

marcabal
Cisco Employee
Cisco Employee

‎05-06-2002 08:43 AM

1. The sensor can only be configured to ftp the alarm log files. It can not be configured to ftp the iplog files.

2. The sensor (the sapd daemon) will monitor the /usr/nr/var/new directory (it checks about once every 30 seconds or so). As soon as it sees one or more log files in that directory it will ftp the oldest log file off to the ftp server. So if there is more than one log file it will ftp the oldest.

How to check if the ftp functionality is working:

a) Check the errors.sapd file in /usr/nr/var for any possible errors.

b) Check the different messages.* files in /usr/nr/var for any possible errors.

c) Execute nrget 10007 [hostid] [orgid] 1 FileMgmt

Where hostid is the sensor's numerical hostid.

Where orgid is the sensor's numerical orgid.

Example: nrget 10007 10 100 1 FileMgmt

Check to see if the trigger for the ftp is being executed and if an error count is shown for the trigger.

d) Login as root and execute "snoop -d [interface] [sensorip] [ftpserverip]"

Where interface is the command and control interface of the sensor

sensorip is the sensor's command control ip address

ftpserverip is the ftp server's ip address.

Example: snoop -d iprb0 10.1.1.1 10.3.4.5

Look to see if the ftp may be failing because of a bad password or any other possible error.

Occasionally you may see the ftp connection just stop. In this case the sensor may not have received the response it was expecting. The sensor will work with most standard ftp servers, but there are a few (mostly freeware ftp servers) which the sensor will not work with. These ftp servers respond in a way that the sensor can not understand.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents