Configuring
Event Logging (IDS version 3.1)
Depending on what the sensor had been configured to watch,
it can generate audit event logs locally on the sensor based on syslog data
streams, network data streams, or both. Follow these steps and examine Figure
5.17 to see how events will be logged:
-
In the IDS Device Manager main window, select Configuration | Logging | Event
Logging.
-
The Event Logging panel appears. Select
the Enable check box. Once event logging has been enabled, the
only two options that can be set are the Level and Type options.
-
Select the severity level of the signature from the Level list box:
-
Information Attacks not relevant to
security are categorized. These attacks are shown in the IDS Event Viewer with a
blue icon.
-
Low Mildly severe attack. These attacks
are shown in the IDS Event Viewer with a yellow icon.
-
Medium Moderately severe attack. These
attacks are shown in the IDS Event Viewer with an orange icon.
-
High Highly severe attack. These attacks
are shown in the IDS Event Viewer with a red icon.
-
To specify types of events you want to log, select one or
more of the Type check boxes.
-
Alarms
-
Errors
-
Cmd Logs
-
IP Logs
-
Click OK.
If alarm events are selected to be logged, then all alarms for
enabled signatures which have severity levels that are greater than, or equal
to, the selected level chosen in the Event Logging Panel are logged to the file
/usr/nr/var/log/log.timestamp. If IPLogs are desired as well, then the severity
level must be set to Information. IPLogs are stored in a
binary format in the /usr/ne/nr/iplog/iplog.address.timestamp files.
|
Note |
ComdLogs, Errors, and Alarms are also written to the event
logs. |
To view the event log files, select Monitoring | Logs in the IDM browser window.
Sections
Comments (0 posted)
Syndication
