Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
307
Views
0
Helpful
4
Replies

iplogs

emusican
Level 1
Level 1

‎10-27-2003 07:20 AM - edited ‎03-09-2019 05:17 AM

How are iplogs viewed? If I go to the sensor and look at the iplogs file I cant make heads or tails of it. Is there some documentation somewhere that explains anything about iplogging?

I made a test string and enabled ip logging on it. I let it run a few days and had multiple hits. I went to the /usr/cids/idsRoot/var/iplogs directory and saw a lot of equal sized files all labelled with a number. Im not sure how to view these files, they seem to be binary or something.

Any help would be appreciated.

Labels:
0 Helpful
4 Replies 4

marcabal
Cisco Employee
Cisco Employee

‎10-27-2003 08:30 AM

The iplog files are binary files. They contain the actual binary packets to and from the source address of the alarm that triggered the iplog action.

The binary packets are written in a common format most commonly referred to as libpcap format, and have also been referred to as tcpdump files.

The libpcap format files can be read by most sniffer programs. Tcpdump, tcpreplay, and ethereal are some of the most common freeware programs that people use for viewing libpcap formatted files.

If you don't already have a commercial sniffer program that can view libpcap formatted files then I generally recommend using ethereal.

Ethereal can be downloaded for free from www.ethereal.com.

0 Helpful

emusican
Level 1
Level 1
In response to marcabal

‎10-27-2003 11:20 AM

Is there no gui CiscoWorks uses to view iplogs?

On the Netranger systems you could just go to a menu item "show ip logging", and it would open it up for you using ethereal or whatever program you wanted to use. It also correlated the iplogs so you could see ip addresses. To see iplogs what you are saying is that I have to go to the sensor and correlate some randomly numbered file with another file? The index or directory?

0 Helpful

marcabal
Cisco Employee
Cisco Employee
In response to emusican

‎10-27-2003 12:02 PM

The latest released versions of Security Monitor does not support the "show ip log" menu option that was in the Unix Director.

NOTE: Security Monitor is the alarm viewer utility inside of VMS (Cisco Works VPN and Security Management Solution)

An enhancement request has been made for adding this to Security Monitor. It would result in a "show ip log" or similar menu option which would automatically download the associated IP Log file and either start ethereal (user may need to have separately loaded ethereal), or decode with an ascii representation.

Until then you will need to correlate the source address and time of the alarm with the iplog files.

Copy the IP Log file off the sensor yourself and open them with ethereal.

0 Helpful

emusican
Level 1
Level 1
In response to marcabal

‎10-27-2003 02:17 PM

What a major pain in the butt that will be for our operators. I sure hope they put that change in soon, or we will probably just can iplogging. Does Cisco expect all of the operators to be administrators too? If so why did they give us 7 different levels of permissions? Why not make one level permission - Everything/God. Sorry to be so cynical but Ive been scratching my head over functions like this one for months now, and I havent seen musch progress, just the same ol problems. Bummer.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents