Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Viewing a Log file on a sensor

I'm sorry but I can't find a reference for what viewer is necessary to make sense of the log files that are created on the sensor in response to a detect.

Any suggestions?

  • Other Security Subjects
3 REPLIES
Cisco Employee

Re: Viewing a Log file on a sensor

As user netrangr you can cd to the /usr/nr/var/new directory to look at recent log files. You can use the more command or vi to open the log files.

The files are comma delimited format which is explained in the 2.2.1 User's Guide:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids1/csidsug/dirdmp.htm#xtocid155124

My best recommendation, however, is to use CSPM's Event Viewer. When the Event Viewer is opened you have the option of either pulling the events from the CSPM database or looking at the events from a log file. What you can do is setup the CSPM box as an FTP Server then use the sensor's ability to FTP the log files to the CSPM box. Then you can open these log files using hte Event Viwer.

New Member

Re: Viewing a Log file on a sensor

My apologies for asking my question in such a general fashion.

My question is what tool should I use to view the captured packets that are generated under the LOG action? I'd like access to the data in the TCP headers, plus be able to more accurately determine the responses of our servers.

My first attempts with UNIX file tools lead me to believe the packets are in either a raw format or in the format of some packet analysis software.

Cisco Employee

Re: Viewing a Log file on a sensor

The captured packet Log files are generally referred to as IPLOG files to help differentiate between the 2 log file types.

Version 2.5(1)S3 and earlier versions of the sensors produce IPLOG files in a proprietary format. The transcript tool on the Unix Director can read this format and display the data of the packets in an ASCII format. This tool is automatically run when Security->Show->IP Logs is selected in the openview window.

However, the proprietary format can also be read by ethereal. The tool allows you to read the header portion of that packets as well as the data. Later versions of ethereal have been modified to read our proprietary format. NOTE: In our format certain fields such as mac addresses have been removed.

Beginning in 3.0 we will no longer be using our proprietary format, instead we will be going to the standard tcpdump format and almost any tool able ot read the tcpdump format will be able to read the IPLOG files in 3.0.

The ethereal program can be downloaded from www.ethereal.com.

NOTE: ethereal will have to be loaded on your CSPM or Unix Director boxes, or your personal desktop. Do not load ethereal on the sensor itself. You will need to ftp the IPLOGs off of the sensor to your other box for viewing.

The Unix Director is being upgraded and in it's next release will be able to pull these IPLOGs for you to the Unix Director box.

108
Views
0
Helpful
3
Replies
This widget could not be displayed.