Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Developing a Log Storage Strategy

    This topic summarizes IDP log storage and log forwarding options so you can develop a log storage strategy suitable for your business. It includes the following sections:

    Log Management Considerations

    An IDP Series device might generate hundreds of logs per day. Your log storage strategy depends on a number of factors:

    • The nature of your business. Compliance with regulations or business agreements might determine where you collect logs or how often you retain them.
    • Existing log management infrastructure. We recommend you become familiar with an use Network and Security Manager (NSM) as a central location for log analysis, but your previous investments in technology and training are also strong considerations.
    • Distribution to the appropriate personnel for analysis is also a key consideration.

    If your organization has not formalized a log management policy, consult the National Institute of Standards and Technology (NIST) publication, Guide to Computer Security Log Management PDF Document, for a treatment of the myriad considerations.

    Local Log Files and Directories

    Logs are stored locally on the device in subdirectories of /usr/idp/device/var. Log pruning occurs when a disk partition reaches 90% capacity.

    Table 1: IDP Local Log Directories

    Directory

    Content

    /usr/idp/device/var/logs

    Local storage for device and security event logs before they are forwarded to NSM.

    /usr/idp/device/var/pktlogs

    Local storage for packet capture logs before they are forwarded to NSM.

    /usr/idp/device/var/profile

    Local storage for Profiler database logs before they are forwarded to NSM.

    /usr/idp/device/var/sysinfo/logs

    Location where system messages are written.

    /usr/idp/device/var/stat/

    Local storage for application volume tracking logs before they are forwarded to NSM, IDP Reporter, or Application Usage Manager.

    Note: Although /usr/idp/device/var is a symbolic link to /var/idp/device/var, user scripts or programs created to manage files should reference the /usr/idp/device/var path.

    By default, logs are forwarded to NSM, which is the primary user interface for the IDP Series device.

    Optionally, you can configure the IDP Series device to send copies of logs to external devices, such as:

    • A syslog server, including a Juniper Networks Security Threat Response Manager (STRM) device, which reads the IDP syslog format.
    • A Juniper Networks Secure Access Series or Infranet Controller Series device to inform access policies.

    Figure 1 provides a visual summary of your log forwarding options. The solid line indicates default behavior. The dashed lines indicate options you must configure to use.

    Figure 1: IDP Log Storage and Log Forwarding

    Image g036643.gif

    Note: In IDP OS Release 5.1, syslog protocol port are configurable. However, we recommend you use the standard protocol and port whenever feasible.

    NSM Log Collection

    By default, the IDP Series device sends logs to NSM where they can be displayed and analyzed with the NSM user interface. We recommend you become familiar with an use NSM as a central location for log analysis. Logs are stored on the NSM Device Server in subdirectories of /usr/netscreen/DevSvr/var/logs. NSM supports the following log management features:

    • Command-line utilities to archive, copy, and purge logs.
    • Configurable time retention policies that trigger pruning.
    • Automated log management jobs based on criteria you configure, including severity, category, and so forth.
    • Support for log field filters in export operations to XML, CSV, syslog, SNMP, e-mail, or script.

    For complete information on NSM log management features, see Chapter 19 of the NSM Administration Guide PDF Document.


    Published: 2011-02-08