Developing a Log Storage Strategy
This topic summarizes IDP log storage and log forwarding options so you can develop a log storage strategy suitable for your business. It includes the following sections:
Log Management Considerations
An IDP device might generate hundreds of logs per day. Your log storage strategy depends on a number of factors:
- The nature of your business. Compliance with regulations or business agreements might determine where you collect logs or how often you retain them.
- Existing log management infrastructure. We recommend you become familiar with an use Network and Security Manager (NSM) as a central location for log analysis, but your previous investments in technology and training are also strong considerations.
- Distribution to the appropriate personnel for analysis is also a key consideration.
If your organization has not formalized a log management policy, consult the National Institute of Standards and Technology (NIST) publication, Guide to Computer Security Log Management, for a treatment of the myriad considerations.
Local Log Files and Directories
Logs are stored locally on the device in subdirectories of /usr/idp/device/var. Log pruning occurs when a disk
partition reaches 90% capacity.
Table 1: IDP Local Log Directories
Directory | Content |
|---|---|
/usr/idp/device/var/logs | Local storage for device and security event logs before they are forwarded to NSM. |
/usr/idp/device/var/pktlogs | Local storage for packet capture logs before they are forwarded to NSM. |
/usr/idp/device/var/profile | Local storage for Profiler database logs before they are forwarded to NSM. |
/usr/idp/device/var/sysinfo/logs | Location where system messages are written. |
/usr/idp/device/var/stat/ | Local storage for application volume tracking logs before they are forwarded to NSM, IDP Reporter, or Application Usage Manager. |
 | Note: Although /usr/idp/device/var is a symbolic link to /var/idp/device/var, user scripts or programs created to manage files should reference the /usr/idp/device/var path. |
By default, logs are forwarded to NSM, which is the primary user interface for the IDP device.
Optionally, you can configure the IDP device to send copies of logs to external devices, such as:
- A syslog server, including a Juniper Networks Security Threat Response Manager (STRM) device, which reads the IDP syslog format.
- A Juniper Networks Secure Access Series or Infranet Controller Series device to inform access policies.
Figure 1 provides a visual summary of your log forwarding options. The solid line indicates default behavior. The dashed lines indicate options you must configure to use.
Figure 1: IDP Log Storage and Log Forwarding
NSM Log Collection
By default, the IDP device sends logs to NSM where they can
be displayed and analyzed with the NSM user interface. We recommend
you become familiar with an use NSM as a central location for log
analysis. Logs are stored on the NSM Device Server in subdirectories
of /usr/netscreen/DevSvr/var/logs. NSM supports the following log management features:
- Command-line utilities to archive, copy, and purge logs.
- Configurable time retention policies that trigger pruning.
- Automated log management jobs based on criteria you configure, including severity, category, and so forth.
- Support for log field filters in export operations to XML, CSV, syslog, SNMP, e-mail, or script.
For complete information on NSM log management features, see Chapter 18 of the NSM Administration Guide.
