One of our IPS (4260) showing Applicaiton-log 96%, I just need to know where these logs are saved and how to backup these logs.?
Also I want to know where is the event logs are saved and is there a way to backup these logs as well?.
Appreciate if someone can advise me on the above please.
These are maintained by the IPS device itself in a circular buffer in RAM disk partition.
Once the event partition is full, it will start to overwrite over the oldest event.
You can use some tool which supports SDEE subscription and retrieve the events regularly from the device.
Thanks for your time and response to this post. I still have some clarification on this and appreciate if you can advise or provide and url/documents;
- is there's any possibility to delete those files and how.
- if we have SDEE support tools how can we configured to backup those logs to a server..
- if the sensor rebooted will the above logs be deleted.
- i have seen IPS signature has an option send syslog traps, but general acceptance is to that IPS events doesnt support syslog traps, in that case I'm wondering why there's an option in the signature has for syslog.?.
Appreciate if you can clarify the above please.
thanks in advance.
There is no way or benefit in deleting those files. Since it is a permanent circular buffer.
Regarding SDEE, it is enabled by default. IME can be configured to retreive all the events.
The opton under signature action is for SNMP traps.
For exporting system logs to syslog server:
I have the same requirement of IPS logging to syslog but on a 4215 running on 6.0.6 E4. how do I get to this link you supplied?
Here are the manual steps:
- Login with service account
- Use command "/sbin/syslogd -m 0 -R
- or add this in /etc/inittab
null::sysinit:/sbin/syslogd -m 0 -R
will this send Status and Error events also or only send IPS Alert events configured with the send to syslog option configured on the signature?