Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

erase log files?

Hi,

I'm working with a 4230 Nids FE (3.0 (5) S17) managed by a 2.3.3i CSPM.

I've configured some events to be logged on nids and send this log to a FTP sever, when the logs are sended... are those erasede from the sensor?

Can anyone tell me what is logged in the dir /var/iplog/new or /var/iplog/dump?

Thank's a lot!

Graz

4 REPLIES
Community Member

Re: erase log files?

With some of the alarms you have three actions to take: block, reset and log. If you have the sig. to log the alarm, the sensor will capture and store the data packet that caused the alarm. The file created is in the format IPLOG.nnn.nnn.nnn.nnn.yyyymmddhhmmss. This is the actural data that set off the alarm. The file can only be read by a packet analyzer such as Ethereal.

The files are not easy to read and you might not want to log the alarms unless you want to do some serious analysis.

Community Member

Re: erase log files?

Hi,

thank you for your reply!

Graz.

Cisco Employee

Re: erase log files?

Hi Graz,

There are two types of log files:

-- event log files

-- ip session log files

Event log files:

The event log file contains alarms generated by the sensor. The event log file currently in use is located in /usr/nr/var. When this event log file is filled, it is closed and moved from /usr/nr/var to /usr/nr/var/new.

The sensor can be configured to automatically ftp the closed event logs from /usr/nr/var/new to another machine. Each event log file that is successfully ftp'ed is compressed and then moved from the /usr/nr/var/new directory to the /usr/nr/var/dump directory. Once in /usr/nr/var/dump, these files are named log.YYYYMMDDHHMM.Z.

Also, the sensor monitors the utilization of the /usr/nr/var/new directory. When this directory reaches a certain level of utilization, all of the files in it (/usr/nr/var/new) are compressed and moved to /usr/nr/var/dump. Once in /usr/nr/var/dump, these files are named NEWLOG.log.YYYYMMDDHHMM.Z

IP session log files:

An IP session log file contains the packets to/from a particular IP address for a particular alarm. Open ip session log files exist in the /usr/nr/var/iplog directory. When an ip session log file is closed, it's moved to /usr/nr/var/iplog/new directory.

Currently, the sensor can not be configured to automatically ftp ip session logs to another machine.

The sensor monitors the utilization of the /usr/nr/var/iplog/new directory. When this directory reaches a certain level of utilization, all of the files from it (/usr/nr/var/iplog/new) are compressed and moved to /usr/nr/var/dump. Once in /usr/nr/var/dump, these files are named IPLOG.iplog..YYYYMMDDHHMM.Z where is the IP address of the logged packets.

The /usr/nr/var/iplog/dump directory is not currently used.

Finally, the sensor monitors the /usr/nr/var partition. When the partition becomes too full, files are deleted from /usr/nr/var/dump.

Hope that helps,

Ward.

Community Member

Re: erase log files?

Hi Ward,

this explanation is clear and exaustive!

Thank you very much!

Graz.

136
Views
0
Helpful
4
Replies
CreatePlease to create content