Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Transferring event log files to an ftp server

I am running CSPM 2.3.3i on a Windows NT 4.0 server. I have two IDSM line cards in 6509 Catalyst switches running 3.0(4)S20 IDSM. Is there a way I can copy all the events from the IDSM line cards to an ftp server? If so what is the command.

3 REPLIES
Cisco Employee

Re: Transferring event log files to an ftp server

The instructions from this link will configure the sensor to ftp closed event log files (that have not yet been archived) to to the destination you specify. Additionally, after each event log file is closed, it will be ftp'ed to the same destination then it will be archived.

http://www.cisco.com/univercd/cc/td/doc/product/ismg/policy/ver23i/idsguide/ch03.htm#xtocid2345615

New Member

Re: Transferring event log files to an ftp server

I looked at these instructions and I am still confused. On my 'logging' tab for my sensors all the FTP server information is greyed out.

Cisco Employee

Re: Transferring event log files to an ftp server

Sorry Wade, I forgot that CSPM has the "greyed out" problem when trying to enable/configure IDSMs to ftp their log files to an ftp server. Here are instructions for a workaround to this issue:

CSPM can not configure IDSM to ftp the log files off to an ftp server.

This is a known problem. CSCdv12981 (CSPM 2.3.1i cannot enable ftp of 3.0 IDSM log files)

Here's a workaround (it's not real convenient though):

1. After you've performed an Update in CSPM, open Windows Explorer (on your CSPM machine) and navigate to the following directory:

C:\Program Files\Cisco Systems\Cisco Secure Policy Manager\PostOffice\tmp\sensorca\(sensor name)\etc

2. In this directory, use WordPad to open sapd.conf

3. Add the following lines to sapd.conf after the line that begins with ControlUndo. (Note: In the lines below, replace

username with the real username on the ftp server; replace password with the real password for the username;

and replace xx.xx.xx.xx with the IP address of the machine where the ftp server resides.)

DBUser2 username

DBPass2 password

DBAux1 ftp

DBAux2 xx.xx.xx.xx

DBAux3 .

FM_Action DBLoad_Telemate_Load loadAction $FileOldest

FM_DirFiles Telemate_Load 1 c:/progra~1/ciscos~1/netran~1/var/new DBLoad_Telemate_Load

4. In the sapd.conf file Change the line that reads:

ControlRun c:/PROGRA~1/CISCOS~1/NETRAN~1/bin/sap/load_run.bat

to

ControlRun c:/PROGRA~1/CISCOS~1/NETRAN~1/bin/sap/load_run.ftp.bat

5. Save the changes to sapd.conf

6. Push, i.e. Approve Now, the configuration to the IDSM sensor.

Note: These changes you just made to sapd.conf will be lost when you perform an Update or Save via CSPM, so you might want to save a copy of the modified sapd.conf somewhere. If you want these changes to be permanent then the same changes above can be made to the sapd.conf template file for the 3.0 IDSM. But if you make the changes in the template file then they will wind up being applied to all 3.0 IDSMs the next time that CSPM updates the IDSMs.

114
Views
0
Helpful
3
Replies
CreatePlease login to create content