About Ip Logging - Cisco 4215 - Intrusion Detection Sys Sensor Configuration Manual

Configuring IP Logging
This chapter describes how to configure IP logging on the sensor. It contains the following sections:
•
•
•
•
•

About IP Logging

You can manually configure the sensor to capture all IP traffic associated with a host you specify by IP
address. You can specify how long you want the IP traffic to be logged, how many packets you want
logged, and how many bytes you want logged. The sensor stops logging IP traffic at the first parameter
you specify.
You can also have the sensor log IP packets every time a particular signature is fired. You can specify
how long you want the sensor to log IP traffic and how many packets and bytes you want logged.
Turning on IP logging slows down system performance.
Caution
You cannot delete or manage IP log files. The no iplog command does not delete IP logs, it only stops
Note
more packets from being recorded for that IP log. IP logs are stored in a circular buffer that is never filled
because new IP logs overwrite old ones.
You can copy the IP logs from the sensor and have them analyzed by a tool that can read packet files in
a libpcap format, such as WireShark or TCPDUMP.
Note Each alert references IP logs that are created because of that alert. If multiple alerts create IP logs for
the same IP address, only one IP log is created for all the alerts. Each alert references the same IP log.
However, the output of the IP log status only shows the event ID of the first alert triggering the IP log.
78-16527-01
About IP Logging, page 8-1
Configuring Automatic IP Logging, page 8-2
Configuring Manual IP Logging for a Specific IP Address, page 8-3
Stopping Active IP Logs, page 8-4
Copying IP Log Files to Be Viewed, page 8-6
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 5.0
8
C H A P T E R
8-1