Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
561
Views
0
Helpful
3
Replies

Viewing a Log file on a sensor

crossmanj
Level 1
Level 1

‎07-24-2001 04:25 PM - edited ‎03-08-2019 08:31 PM

I'm sorry but I can't find a reference for what viewer is necessary to make sense of the log files that are created on the sensor in response to a detect.

Any suggestions?

Labels:
0 Helpful
3 Replies 3

marcabal
Cisco Employee
Cisco Employee

‎07-25-2001 07:13 AM

As user netrangr you can cd to the /usr/nr/var/new directory to look at recent log files. You can use the more command or vi to open the log files.

The files are comma delimited format which is explained in the 2.2.1 User's Guide:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids1/csidsug/dirdmp.htm#xtocid155124

My best recommendation, however, is to use CSPM's Event Viewer. When the Event Viewer is opened you have the option of either pulling the events from the CSPM database or looking at the events from a log file. What you can do is setup the CSPM box as an FTP Server then use the sensor's ability to FTP the log files to the CSPM box. Then you can open these log files using hte Event Viwer.

0 Helpful

crossmanj
Level 1
Level 1
In response to marcabal

‎07-25-2001 07:30 AM

My apologies for asking my question in such a general fashion.

My question is what tool should I use to view the captured packets that are generated under the LOG action? I'd like access to the data in the TCP headers, plus be able to more accurately determine the responses of our servers.

My first attempts with UNIX file tools lead me to believe the packets are in either a raw format or in the format of some packet analysis software.

0 Helpful

marcabal
Cisco Employee
Cisco Employee
In response to crossmanj

‎07-25-2001 08:39 AM

The captured packet Log files are generally referred to as IPLOG files to help differentiate between the 2 log file types.

Version 2.5(1)S3 and earlier versions of the sensors produce IPLOG files in a proprietary format. The transcript tool on the Unix Director can read this format and display the data of the packets in an ASCII format. This tool is automatically run when Security->Show->IP Logs is selected in the openview window.

However, the proprietary format can also be read by ethereal. The tool allows you to read the header portion of that packets as well as the data. Later versions of ethereal have been modified to read our proprietary format. NOTE: In our format certain fields such as mac addresses have been removed.

Beginning in 3.0 we will no longer be using our proprietary format, instead we will be going to the standard tcpdump format and almost any tool able ot read the tcpdump format will be able to read the IPLOG files in 3.0.

The ethereal program can be downloaded from www.ethereal.com.

NOTE: ethereal will have to be loaded on your CSPM or Unix Director boxes, or your personal desktop. Do not load ethereal on the sensor itself. You will need to ftp the IPLOGs off of the sensor to your other box for viewing.

The Unix Director is being upgraded and in it's next release will be able to pull these IPLOGs for you to the Unix Director box.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents