Hi Graz,
There are two types of log files:
-- event log files
-- ip session log files
Event log files:
The event log file contains alarms generated by the sensor. The event log file currently in use is located in /usr/nr/var. When this event log file is filled, it is closed and moved from /usr/nr/var to /usr/nr/var/new.
The sensor can be configured to automatically ftp the closed event logs from /usr/nr/var/new to another machine. Each event log file that is successfully ftp'ed is compressed and then moved from the /usr/nr/var/new directory to the /usr/nr/var/dump directory. Once in /usr/nr/var/dump, these files are named log.YYYYMMDDHHMM.Z.
Also, the sensor monitors the utilization of the /usr/nr/var/new directory. When this directory reaches a certain level of utilization, all of the files in it (/usr/nr/var/new) are compressed and moved to /usr/nr/var/dump. Once in /usr/nr/var/dump, these files are named NEWLOG.log.YYYYMMDDHHMM.Z
IP session log files:
An IP session log file contains the packets to/from a particular IP address for a particular alarm. Open ip session log files exist in the /usr/nr/var/iplog directory. When an ip session log file is closed, it's moved to /usr/nr/var/iplog/new directory.
Currently, the sensor can not be configured to automatically ftp ip session logs to another machine.
The sensor monitors the utilization of the /usr/nr/var/iplog/new directory. When this directory reaches a certain level of utilization, all of the files from it (/usr/nr/var/iplog/new) are compressed and moved to /usr/nr/var/dump. Once in /usr/nr/var/dump, these files are named IPLOG.iplog..YYYYMMDDHHMM.Z where is the IP address of the logged packets.
The /usr/nr/var/iplog/dump directory is not currently used.
Finally, the sensor monitors the /usr/nr/var partition. When the partition becomes too full, files are deleted from /usr/nr/var/dump.
Hope that helps,
Ward.
.jpg "Cisco Employee"){kind=icon}
