03-01-2002 03:12 AM - edited 03-08-2019 09:57 PM
Hi,
I'm working with a 4230 Nids FE (3.0 (5) S17) managed by a 2.3.3i CSPM.
I've configured some events to be logged on nids and send this log to a FTP sever, when the logs are sended... are those erasede from the sensor?
Can anyone tell me what is logged in the dir /var/iplog/new or /var/iplog/dump?
Thank's a lot!
Graz
03-01-2002 05:14 AM
With some of the alarms you have three actions to take: block, reset and log. If you have the sig. to log the alarm, the sensor will capture and store the data packet that caused the alarm. The file created is in the format IPLOG.nnn.nnn.nnn.nnn.yyyymmddhhmmss. This is the actural data that set off the alarm. The file can only be read by a packet analyzer such as Ethereal.
The files are not easy to read and you might not want to log the alarms unless you want to do some serious analysis.
03-01-2002 11:36 PM
Hi,
thank you for your reply!
Graz.
03-01-2002 09:37 AM
Hi Graz,
There are two types of log files:
-- event log files
-- ip session log files
Event log files:
The event log file contains alarms generated by the sensor. The event log file currently in use is located in /usr/nr/var. When this event log file is filled, it is closed and moved from /usr/nr/var to /usr/nr/var/new.
The sensor can be configured to automatically ftp the closed event logs from /usr/nr/var/new to another machine. Each event log file that is successfully ftp'ed is compressed and then moved from the /usr/nr/var/new directory to the /usr/nr/var/dump directory. Once in /usr/nr/var/dump, these files are named log.YYYYMMDDHHMM.Z.
Also, the sensor monitors the utilization of the /usr/nr/var/new directory. When this directory reaches a certain level of utilization, all of the files in it (/usr/nr/var/new) are compressed and moved to /usr/nr/var/dump. Once in /usr/nr/var/dump, these files are named NEWLOG.log.YYYYMMDDHHMM.Z
IP session log files:
An IP session log file contains the packets to/from a particular IP address for a particular alarm. Open ip session log files exist in the /usr/nr/var/iplog directory. When an ip session log file is closed, it's moved to /usr/nr/var/iplog/new directory.
Currently, the sensor can not be configured to automatically ftp ip session logs to another machine.
The sensor monitors the utilization of the /usr/nr/var/iplog/new directory. When this directory reaches a certain level of utilization, all of the files from it (/usr/nr/var/iplog/new) are compressed and moved to /usr/nr/var/dump. Once in /usr/nr/var/dump, these files are named IPLOG.iplog.
The /usr/nr/var/iplog/dump directory is not currently used.
Finally, the sensor monitors the /usr/nr/var partition. When the partition becomes too full, files are deleted from /usr/nr/var/dump.
Hope that helps,
Ward.
03-01-2002 11:33 PM
Hi Ward,
this explanation is clear and exaustive!
Thank you very much!
Graz.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide