Configuring Logging
Logging provides a way to almanac the contest that the IDS sensor sees for afterwards assay either by aegis personnel, arrangement operations, or accident alternation software. This area covers how to configure accident logging as able-bodied as IP logging, how to consign accident logs, and how to configure automated IP logging. Logging changes amid IDS software adaptation 3.1 and 4.0 accommodate the cessation of accident logging to files in 4.0. All contest are logged to the centralized database alive on the IDS sensor. IP logging does not change amid the two software versions.
Configuring Accident Logging (IDS adaptation 3.1)
Depending on what the sensor had been configured to watch, it can accomplish assay accident logs locally on the sensor based on syslog abstracts streams, arrangement abstracts streams, or both. Follow these accomplish and appraise Figure 5.17 to see how contest will be logged:
Figure 5.17: Application 3.1 IDM to Configure Logging
In the IDS Device Manager capital window, baddest Configuration | Logging | Accident Logging.
The Accident Logging console appears. Baddest the Accredit assay box. Already accident logging has been enabled, the alone two options that can be set are the Akin and Blazon options.
Select the severity akin of the signature from the Akin annual box:
Information Attacks not accordant to aegis are categorized. These attacks are apparent in the IDS Accident Viewer with a dejected icon.
Low Mildly astringent attack. These attacks are apparent in the IDS Accident Viewer with a chicken icon.
Medium Moderately astringent attack. These attacks are apparent in the IDS Accident Viewer with an orange icon.
High Highly astringent attack. These attacks are apparent in the IDS Accident Viewer with a red icon.
To specify types of contest you appetite to log, baddest one or added of the Blazon assay boxes.
Alarms
Errors
Cmd Logs
IP Logs
Click OK.
If anxiety contest are called to be logged, again all alarms for enabled signatures which accept severity levels that are greater than, or according to, the called akin called in the Accident Logging Console are logged to the book /usr/nr/var/log/log.timestamp. If IPLogs are adapted as well, again the severity akin charge be set to Information. IPLogs are stored in a bifold architecture in the /usr/ne/nr/iplog/iplog.address.timestamp files.
Note ComdLogs, Errors, and Alarms are additionally accounting to the accident logs.
To appearance the accident log files, baddest Monitoring | Logs in the IDM browser window.
Exporting Accident Logs
By default, the IDS sensor logs all contest locally on the sensor by both severity and type. A affection of the IDS sensors is that you can consign the accident logs to an FTP server. This allows you to run abundant assay application added accoutrement such as Sawmill. Already the logs are exported, you can advance an annal of contest over time that can be of advice if you charge to cull up the logs of several months ago because of acknowledged issues such as hacking attempts. You can configure the consign activity to use an FTP server that accident logs will be beatific to at approved intervals.
The afterward accomplish allegorize how to configure the consign of accident logs (also see Figure 5.18):
Figure 5.18: Configuring Exporting Log Files
Select Configuration | Logging | Exporting Accident Logs.
The Exporting Accident Logs console appears. Assay the box for Consign Archived Accident Log Files
Enter the IP abode of the FTP server you appetite to affix to and accelerate the logs to in the Ambition FTP Server IP Abode field.
Note The afterward FTP servers abutment FTP log consign functions:
Windows NT 4.0 (Microsoft ftp server ver 3.0)
Sambar FTP Server Ver 5.0 (win32)
Windows 2000 (Microsoft ftp server ver 5.0)
Web-mail Microsoft FTP Service Adaptation 5.0 (win32)
HP-UP (HP-US qdir-5 B.10.20 A 9000/715)
Serv-U FTP-Server v2.5 for WinSock (win32)
Solaris 2.8
Enter the ambition agenda on the alien FTP server in the Ambition FTP Agenda field. This can be 1 to 128 characters.
Enter the FTP server login name in the FTP Username field. This can be 1 to 16 characters.
Enter the FTP server countersign associated with the login name in the FTP Countersign field. This can be from 1 to 8 characters. Bang OK.
View the messages.sapd book to verify the accident logs are actuality exported by selecting Monitoring | Logs | Letters | Sapd. If there is an error, this is area you will see it.
Note Every time the accident log is bankrupt and archived, logs are FTPed. This occurs already a day by absence or back the logs ample up the 104,876 bytes allocated to them, whichever comes first.
Configuring Automated IP Logging
You can configure a sensor to accomplish an IP affair log back the sensor detects an attack. All packets to and from the antecedent abode of the anxiety are logged for a specific aeon of time back IP logging is configured as a acknowledgment activity for a signature and the signature is triggered. Additionally, you can set the cardinal of annual contest are logged. The IP log book is in the tcpdump architecture for affluence of exporting into added accoutrement if required. Follow these accomplish to set the bulk of annual of automated IP logging and see Figure 5.19 for the awning attempt of the IDSM interface:
Figure 5.19: Configuring Automated IP Logging Application the Cisco IDM
Select Configuration | Logging | Automated IP Logging in the IDS Device Manager capital window.
Enter the cardinal of annual you appetite IP logging to be done (from 1 to 60) in the Annual of IP Logging field. Note that the absence is 15. Bang OK.
Select Monitoring | Logs | IP Logs | Archived to download the logs.
Configuring IP Logging
One advantage you accept is to configure the sensor to abduction all cartage accompanying to the defined hosts. We can use the IP logging advantage to log all cartage or a annual of IP addresses.
Note You charge accredit accident logging with Information as the severity akin and at atomic IPLogs for the blazon back this is an IP logging requirement.
Follow these accomplish to accomplish logs for specific IP addresses:
Select Configuration | Logging | IP Logging in the IDS Device Manager window. The IP Logging console will appear.
To access IP addresses, bang Add.
Enter the antecedent IP abode to log in the IP abode field.
Enter 255.255.255.255 if it is a distinct IP address, or access the netmask if it is a arrangement in the Arrangement Mask field.
Note By selecting Monitoring | Logs | IP Logs | Archived, the sensor begins logging and appropriately creates a log book that can be viewed. Logging will abide until the abode is removed from the IP Logging list. Be acquainted that logging slows bottomward the achievement of the sensor.
Figure 5.20 shows the console for configuring IP logging application the IDM for adaptation 3.1.
Figure 5.20: Configuring IP Logging Application the Cisco 3.1 IDM
When we use adaptation 4.x software, the action is a little bit different, as apparent in the afterward accomplish and in Figure 5.21:
Figure 5.21: Configuring IP Logging Application the Cisco 4.x IDM
Follow these accomplish to accomplish logs for specific IP addresses:
Select Administration | IP Logging in the IDS Device Manager window. The IP Logging console will appear.
To access IP addresses, bang Add.
Enter the antecedent IP abode to log in the IP Abode field.
Enter ethics in the alternative Duration, Cardinal of Packets, and Cardinal of Bytes field.
Generating IP Logs
The sensor can be configured to bolt all IP cartage associated with the hosts you specify application the IP address. To accomplish log files for a specific IP address, aboriginal log into the CLI application an annual with ambassador or abettor privileges. For anniversary address, you can either specify that the sensor log IP cartage until a specific beginning is accomplished (using cardinal of minutes, packets, or bytes), or you can configure the sensor to abide logging IP cartage until you afterwards attenuate IP logging for that address.
Type in the afterward command to configure the sensor so it continues logging indefinitely for a specific IP address:
Sensor# iplog interface accumulation cardinal (0)
The apparatus of this command include
interface accumulation cardinal Accumulation ID to activate or end logging on. There is alone one interface accumulation supported. Use 0 as the value.
ip abode Alone log packets that accommodate the defined IP address.
Type the afterward command to configure the sensor to log IP cartage until a defined beginning is reached.
Sensor# iplog interface accumulation cardinal (0)
packets
The apparatus of this command include:
minutes The continuance the logging should be alive in annual from 0 to 60 (the absence is 10 minutes).
numPackets The best cardinal of packets to log from 0 to 4294967295 (the absence is 1000 packets).
numBytes The best cardinal of bytes to log from 0 to 429496295.
Note You do not accept to specify all three parameters; these are optional. If you accept to accommodate added than one parameter, the sensor will abide logging alone until the aboriginal beginning is reached. For example, if you set the continuance to bristles annual with the cardinal of packets to 1000, the sensor will stop logging afterwards the 1000th packet is captured, alike if alone two annual accept elapsed.
Based on the ambit you specified, the sensor begins logging. A log ID cardinal will appear. If you afterwards appetite to stop the logging session, you will charge this log ID. Back you blazon in the command iplog-status, you will get a abbreviate adaptation of the cachet of the logging, as apparent in Figure 5.22:
sensor# iplog-status
IPAddress: 10.1.1.2
Status: In-Progress
Start Time: 10:02:34 8/24/2001
Minutes Remaining: 5 minutes
Packets Captured: 1039438
Packets Remaining: 48 Packets
// To stop a specific IP logging affair you will blazon in:
sensor# no iplog Log ID
// To stop all IP logging you will blazon in:
sensor# no iplog