My questions are related to the IPLOGs (raw packet payload data). I'm planning to setup IPLOG for high/medium events only because they're the ones we usually need to look into the raw data.
1. When a high/medium event is triggered, it would generate IPLOG. What is a reasonable time period for logging a high/medium event? 5 minutes?
2. From the CLI, I noticed that I can modify these parameters:
NumberOfIPLogFiles: 20 <defaulted>
MaxOpenIPLogFiles: 20 <defaulted>
MaxIPLogFileSize: 1000000 <defaulted>
Can I increase the number of IPLOG files that are stored as well as their MAXIPLogFileSize? This is because in a high traffic environment, there might be times when we need to look up IPLOG raw data and if the file size it too short, it would be over-written. What is a MAX size I could change it to without causing any problems?
3. Using IDM if I wanted to check out a particular IPLOG file, I noticed that there is a LOG ID which is a unique identifier for the IPLOG files. If I wanted to look up raw data for a particular eventID how can I find out which IPLOG file to lookup?