Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Enabling Collection of Packet Data in NSM Logs (NSM Procedure)

    When you configure security policy rule notification options, you have the option of logging the packets surrounding the security event.

    Packet capture logs are stored locally on the IDP Series device in numbered directories: /usr/idp/device/var/pktlogs/0/, /usr/idp/device/var/pktlogs/1/, /usr/idp/device/var/pktlogs/2/, and so forth. Each directory stores 100,000 logs. The total number of directories is determined by the value set in NSM for Maximum number of packet captures that can be stored. For example, if you retain the default (10,000), all packet logs are stored in /usr/idp/device/var/pktlogs/0/. If you set the maximum to 200,000, packet logs are stored two directories: /usr/idp/device/var/pktlogs/0/ and /usr/idp/device/var/pktlogs/1/.

    The first 100,000 packet capture logs are stored in /usr/idp/device/var/pktlogs/0/. Files are named 1.pcap, 2.pcap, ..., 100000.pcap. The next 100,000 logs are stored in /usr/idp/device/var/pktlogs/1/. Files are named 1.cap, 2.pcap, ... 100000.pcap. The log agent continues to create directories and files in this manner until the user-specified limit is reached or the disk usage for the partition reaches 90% capacity.

    When the user-specified maximum is reached, the log agent begins overwriting packet log files, beginning with /usr/idp/device/var/pklogs/0/1.pcap.

    If the packet capture repository reaches the disk limit before the user-specified limit:

    1. The log agent deletes all 100,000 logs in the first directory, /usr/idp/device/var/pktlogs/0/, in order to reuse the directory and disk space.
    2. The next logs are written to /usr/idp/device/var/pktlogs/0/ and the files are named 1.pcap, 2.pcap, ..., 100000.pcap.
    3. When the limit is reached again, the log agent deletes all of the logs in the next directory, /usr/idp/device/var/pktlogs/1/. It continues writing in the current directory until if reaches 100000.pcap.
    4. Then, it begins writing in the next directory, which had been emptied in the previous step.

    The IDP Series device forwards the packet data to NSM according to your NSM Report Settings:

    • Include packet data in log selected. Forwards the packet capture to NSM automatically when it sends the corresponding event log.
    • Include packet data in log not selected. Forwards a reference to the packet capture file to NSM automatically but forwards the packet data itself only on-demand (when an NSM user takes action to display the packet data).

      Figure 1: NSM Device Configuration Editor: Report Settings

      Image s036793.gif

    To configure packet log collection:

    1. In the NSM Device Manager, double-click the IDP Series device to display the configuration editor.
    2. Click Report Settings.
    3. Select Include packet data in log.
    4. Optionally, modify the default for Maximum number of packet captures that can be stored. The maximum value you can specify is 102,400,000.
    5. Click Apply and OK to save your settings.

    Note: Be careful when modifying the maximum packet captures limit. If you first configure a large limit and later configure a smaller limit, you might delete directories of logs. For example, suppose you first set a maximum 1,000,000. The log agent begins storing logs in up to 10 log directories. Later, you change the maximum to 100,000. The log agent cleans up the previous configuration, deleting unnecessary directories 1-9. Before you change the setting to a lower value, be sure you have copied all the logs you want saved to a remote location.

    Note: You might encounter unexpected behavior if the following circumstances apply:

    • You change the maximum to a lower value–from 200,000 to 100,000, for example.
    • At the same time, the agent process is handling requests from NSM for logs from /usr/idp/device/var/pktlogs/ subdirectories.

    In the typical case, we expect the agent to mark unnecessary subdirectories for deletion and clean them up after the new maximum is applied. If the agent has locked a subdirectory marked for deletion in order to retrieve files for NSM, it will not delete the subdirectory.


    Published: 2011-02-08