Re: FTPing log files from the IDSM

jason.fletcher · ‎12-14-2001

I am trying to FTP the log files directly from the IDSM. I am using version 2.3.3i S11 of CSPM and 3.0(2)S10 on the IDSM. The instructions for configuring this are pretty cut and dry, but when I click on the "Generate audit event log files" option within the sensor logging tab in CSPM, all the other options continue to be grayed out. Any ideas?

Jason Fletcher

wardwalk · ‎12-20-2001

This is a known problem. CSCdv12981 (CSPM 2.3.1i cannot enable ftp of 3.0 IDSM log files)

Here's a workaround (it's not real convenient though):

1. After you've performed an Update in CSPM, open Windows Explorer and navigate to the following directory:

C:\Program Files\Cisco Systems\Cisco Secure Policy Manager\PostOffice\tmp\sensorca\(sensor name)\etc

2. In this directory, use WordPad to open sapd.conf

3. Add the following lines to sapd.conf after the line that begins with ControlUndo. (Note: In the lines below, replace username with the real username on the ftp server; replace password with the real password for the username; and replace xx.xx.xx.xx with the IP address of the machine where the ftp server resides.)

DBUser2 username

DBPass2 password

DBAux1 ftp

DBAux2 xx.xx.xx.xx

DBAux3 .

FM_Action DBLoad_Telemate_Load loadAction $FileOldest

FM_DirFiles Telemate_Load 1 c:/progra~1/ciscos~1/netran~1/var/new DBLoad_Telemate_Load

4. Save the changes to sapd.conf

5. Push, i.e. Approve Now, the configuration to the IDSM sensor.

Hope that works for you. I just tested it and it worked for me.

Note: These changes you just made to sapd.conf will be lost when you perform an Update or Save via CSPM, so you might want to save a copy of the modified sapd.conf somewhere.

Ward Walker

jason.fletcher · ‎12-20-2001

Cool, I will give that a shot. Any plans to resolve this in future releases?

Jason Fletcehr

jason.fletcher · ‎12-21-2001

Well, this didn't work... After following the above steps and uploading to the IDSM I ran the show errorfile sapd command from diag and got this:

12/21/2001 09:28:40UTC E Error executing "c:/PROGRA~1/CISCOS~1/NETRAN~1/bin/sap/load_run.bat", returned 1.

What the heck is this? I don't have a sap folder under my bin directory and a search revealed not having a load_run.bat either....

Any other ideas?

Jason Fletcher

wardwalk · ‎12-21-2001

Sorry Jason. This morning I suddenly remembered another minor problem with the sapd.conf file. I had to make this change also when I performed my test. Do this and I think you'll be set...

In the same file as above (sapd.conf) on your CSPM machine, change the line that reads:

ControlRun c:/PROGRA~1/CISCOS~1/NETRAN~1/bin/sap/load_run.bat

to

ControlRun c:/PROGRA~1/CISCOS~1/NETRAN~1/bin/sap/load_run.ftp.bat

By the way, the sap folder under the bin directory is on the IDSM sensor, not on CSPM.

I'll monitor this thread to see if that works for you.

jason.fletcher · ‎12-21-2001

Very good. I'll give this a shot. Is there any way to incorporate "real-time" logging into an external database? I see that you can archive purged data to an ODBC source after a time or after a certain size is reached. Are there any issues with this? Also, is it possible for CSPM to generate SNMP traps to send to an HP openview system if needed?

Thanks

Jason Fletcher

mhossain · ‎12-21-2001

We partner with companies like netForensics, Telemate, & OpenSystems who have our SDK (available to partners, only) and they can receive real time data feeds directly from our sensors into their 3rd party tools. Their products augment existing functionality in our portfolio in the area of the monitoring/reporting.

CSPM supports alarm forwarding.

CSPM does not support SNMP traps.

Regards.

jeff.gift · ‎03-28-2002

Hello,

I have had this sapd.conf working well to ftp files off the IDSM. My problem now is I have added another IDSM and I trying to push a sapd.conf change to do the same to a different directory log directory on my ftp server. So I have created a separate sapd.cong file. For some reason, the file is not getting updated on the new IDSM, I have tried save/update and approve or just approve with the new sapd.conf in the /etc. Any ideas why I can't seem to update the new IDSM with this file change manually? Is there another /etc director for the different IDSM? Thanks in advance for any clues.

Jeff

wardwalk · ‎03-28-2002

Hi Jeff,

Currently, I don't know why CSPM isn't pushing your modified sapd.conf file. Here's a couple of comments/questions that might be helpful:

1. When your click on "Approve Now" does it appear that CSPM is doing anything? For example, does it say that it's transferring files to the sensor?

2. It could be that CSPM thinks there hasn't been an update for the sapd.conf file because no changes regarding sapd were made via the GUI. You might try selecting your new IDSM blade via the CSPM gui, click on the logging tab and enable something. Do an Update. Then, go back and disable what you previously enabled. Do another Update. Then, put "your" version of the sapd.conf file in the directory as mentioned below.

3. In step 1 of my post from December 20th, are you putting your tailored sapd.conf in the proper directory? Make sure you put it in:

C:\Program Files\Cisco Systems\Cisco Secure Policy Manager\PostOffice\tmp\sensorca\(sensor name)\etc

where (sensor name) is the name of your new IDSM blade.

jeff.gift · ‎01-29-2002

I am in the process of making this change so I can ftp the log files from the IDSM to an ftp server. Where can I find more details as to how the IDSM manages the logs. When I do a show eventfile for the current and backup logs, I notice they are rolloing over about every hour, is this the only option? Are the logs on the CSMP an exact copy of what is logged on the IDSM? Thanks in advance.