Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

iplogs

How are iplogs viewed? If I go to the sensor and look at the iplogs file I cant make heads or tails of it. Is there some documentation somewhere that explains anything about iplogging?

I made a test string and enabled ip logging on it. I let it run a few days and had multiple hits. I went to the /usr/cids/idsRoot/var/iplogs directory and saw a lot of equal sized files all labelled with a number. Im not sure how to view these files, they seem to be binary or something.

Any help would be appreciated.

4 REPLIES
Cisco Employee

Re: iplogs

The iplog files are binary files. They contain the actual binary packets to and from the source address of the alarm that triggered the iplog action.

The binary packets are written in a common format most commonly referred to as libpcap format, and have also been referred to as tcpdump files.

The libpcap format files can be read by most sniffer programs. Tcpdump, tcpreplay, and ethereal are some of the most common freeware programs that people use for viewing libpcap formatted files.

If you don't already have a commercial sniffer program that can view libpcap formatted files then I generally recommend using ethereal.

Ethereal can be downloaded for free from www.ethereal.com.

New Member

Re: iplogs

Is there no gui CiscoWorks uses to view iplogs?

On the Netranger systems you could just go to a menu item "show ip logging", and it would open it up for you using ethereal or whatever program you wanted to use. It also correlated the iplogs so you could see ip addresses. To see iplogs what you are saying is that I have to go to the sensor and correlate some randomly numbered file with another file? The index or directory?

Cisco Employee

Re: iplogs

The latest released versions of Security Monitor does not support the "show ip log" menu option that was in the Unix Director.

NOTE: Security Monitor is the alarm viewer utility inside of VMS (Cisco Works VPN and Security Management Solution)

An enhancement request has been made for adding this to Security Monitor. It would result in a "show ip log" or similar menu option which would automatically download the associated IP Log file and either start ethereal (user may need to have separately loaded ethereal), or decode with an ascii representation.

Until then you will need to correlate the source address and time of the alarm with the iplog files.

Copy the IP Log file off the sensor yourself and open them with ethereal.

New Member

Re: iplogs

What a major pain in the butt that will be for our operators. I sure hope they put that change in soon, or we will probably just can iplogging. Does Cisco expect all of the operators to be administrators too? If so why did they give us 7 different levels of permissions? Why not make one level permission - Everything/God. Sorry to be so cynical but Ive been scratching my head over functions like this one for months now, and I havent seen musch progress, just the same ol problems. Bummer.

102
Views
0
Helpful
4
Replies
CreatePlease login to create content