Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
496
Views
0
Helpful
4
Replies

erase log files?

g.rodegari
Level 1
Level 1

‎03-01-2002 03:12 AM - edited ‎03-08-2019 09:57 PM

Hi,

I'm working with a 4230 Nids FE (3.0 (5) S17) managed by a 2.3.3i CSPM.

I've configured some events to be logged on nids and send this log to a FTP sever, when the logs are sended... are those erasede from the sensor?

Can anyone tell me what is logged in the dir /var/iplog/new or /var/iplog/dump?

Thank's a lot!

Graz

Labels:
0 Helpful
4 Replies 4

mhicks
Level 1
Level 1

‎03-01-2002 05:14 AM

With some of the alarms you have three actions to take: block, reset and log. If you have the sig. to log the alarm, the sensor will capture and store the data packet that caused the alarm. The file created is in the format IPLOG.nnn.nnn.nnn.nnn.yyyymmddhhmmss. This is the actural data that set off the alarm. The file can only be read by a packet analyzer such as Ethereal.

The files are not easy to read and you might not want to log the alarms unless you want to do some serious analysis.

0 Helpful

g.rodegari
Level 1
Level 1
In response to mhicks

‎03-01-2002 11:36 PM

Hi,

thank you for your reply!

Graz.

0 Helpful

wardwalk
Cisco Employee
Cisco Employee

‎03-01-2002 09:37 AM

Hi Graz,

There are two types of log files:

-- event log files

-- ip session log files

Event log files:

The event log file contains alarms generated by the sensor. The event log file currently in use is located in /usr/nr/var. When this event log file is filled, it is closed and moved from /usr/nr/var to /usr/nr/var/new.

The sensor can be configured to automatically ftp the closed event logs from /usr/nr/var/new to another machine. Each event log file that is successfully ftp'ed is compressed and then moved from the /usr/nr/var/new directory to the /usr/nr/var/dump directory. Once in /usr/nr/var/dump, these files are named log.YYYYMMDDHHMM.Z.

Also, the sensor monitors the utilization of the /usr/nr/var/new directory. When this directory reaches a certain level of utilization, all of the files in it (/usr/nr/var/new) are compressed and moved to /usr/nr/var/dump. Once in /usr/nr/var/dump, these files are named NEWLOG.log.YYYYMMDDHHMM.Z

IP session log files:

An IP session log file contains the packets to/from a particular IP address for a particular alarm. Open ip session log files exist in the /usr/nr/var/iplog directory. When an ip session log file is closed, it's moved to /usr/nr/var/iplog/new directory.

Currently, the sensor can not be configured to automatically ftp ip session logs to another machine.

The sensor monitors the utilization of the /usr/nr/var/iplog/new directory. When this directory reaches a certain level of utilization, all of the files from it (/usr/nr/var/iplog/new) are compressed and moved to /usr/nr/var/dump. Once in /usr/nr/var/dump, these files are named IPLOG.iplog..YYYYMMDDHHMM.Z where is the IP address of the logged packets.

The /usr/nr/var/iplog/dump directory is not currently used.

Finally, the sensor monitors the /usr/nr/var partition. When the partition becomes too full, files are deleted from /usr/nr/var/dump.

Hope that helps,

Ward.

0 Helpful

g.rodegari
Level 1
Level 1
In response to wardwalk

‎03-01-2002 11:33 PM

Hi Ward,

this explanation is clear and exaustive!

Thank you very much!

Graz.

0 Helpful
Customers Also Viewed These Support Documents