cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

626
Views
0
Helpful
0
Replies
Highlighted
Beginner

Location of iplog Files on IPS Devices

Greetings fellow humans.  I am implementing about 250 IPS' in a WAN environment and I am attempting to find a creative way to grab iplog files from a sensor given the Event ID; I will try to build this function in an Intranet web application that the SOC can log into and request log files from a central location for investigations. 

The SOC receives alerts via ArcSight, which will give me the Event ID; I will first need to write a function to correlate the Event ID with the Log ID.  Once I have the Log ID, then I just need to know the location of the log file, which I assume can be found with the Service account.

My question is, does anyone know where the log files are stored in the sensor?

For extra credit, does anyone have any ideas for correlating the Event and Log ID with a script?

Example Alert:

sh events past 0:10:00 | i id=5474

evIdsAlert: eventId=1288899530090812434 severity=low vendor=Cisco
  originator:
    hostId: <removed>

    appName: sensorApp
    appInstanceId: 657
  time: 2011/07/12 18:26:04 2011/07/12 18:26:04 UTC
  signature: description=SQL Query in HTTP Request id=5474 created=20050412 type=vulnerability version=S368
    subsigId: 0
    sigDetails: SELECT...FROM
    marsCategory: Penetrate/SQLInjection
  interfaceGroup: vs0
  vlan: 91
  participants:
    attacker:
      addr: locality=any x.x.87.135
      port: 4566
    target:
      addr: locality=CBP-PROXY x.x.225.15
      port: 80
      os: idSource=learned relevance=relevant type=linux
  actions:
    logPacketsActivated: true
    logPairPacketsActivated: true
  context:
    fromAttacker:

Example Log File:

Log ID:             1701811440                                   

IP Address 1:       x.x.225.15                                

IP Address 2:       x.x.87.135                                 

Virtual Sensor:     vs0                                          

Status:             completed                                    

Event ID:           1288899530090812434                          

Start Time:         2011/07/12 18:26:02 2011/07/12 18:26:02 UTC  

End Time:           2011/07/12 18:26:04 2011/07/12 18:26:04 UTC  

Bytes Captured:     2198                                         

Packets Captured:   7 Log ID:             1701811440                                   
IP Address 1:       x.x.225.15                                
IP Address 2:       x.x.87.135                                 
Virtual Sensor:     vs0                                          
Status:             completed                                    
Event ID:           1288899530090812434                          
Start Time:         2011/07/12 18:26:02 2011/07/12 18:26:02 UTC  
End Time:           2011/07/12 18:26:04 2011/07/12 18:26:04 UTC  
Bytes Captured:     2198                                         
Packets Captured:   7

Thanks for the feedback!

Jonathan

0 REPLIES 0
Content for Community-Ad