About log evidence

The Network IPS appliance uses log evidence, along with the rolling packet capture feature, to gather evidence about suspicious events.

Log evidence

The log evidence feature copies a packet that triggered an event. Log evidence records the packet in a log file. By studying the packet recorded in the log file, you can determine exactly what an intruder did or attempted to do. Log evidence can capture packets for web protection events, security events, user-defined events, connection events, SNORT events, and response filters.

Where to configure log evidence

You can configure options for log evidence in the following areas:
  • In the policy: Define the scope of the log evidence feature in appliance policies. For example, choose to capture specific traffic or choose to capture all traffic passing through an interface at the same time the event occurs. Find policies that use the log evidence feature in these locations.
    • Secure Protection Settings > Security Modules > Web Application Protection
    • Secure Protection Settings > Advanced IPS > Security Events
    • Secure Protection Settings > Advanced IPS > User Defined Events
    • Secure Protection Settings > Advanced IPS > Connection Events
    • Secure Protection Settings > Advanced IPS > SNORT Configuration and Rules
    • Secure Protection Settings > Response Tuning > Response Filters
  • On the Log Evidence tab: Define how many log evidence files the appliance stores, the size of the capture files, and the file format. Find the tab in Secure Protection Settings > Response Tuning > Responses.
  • On the Tuning Parameters page: Add or edit the parameter engine.logevidence.file.timeout. This parameter defines how long the log evidence option captures packets when the suspicious traffic is idle. The default value is 15 minutes, the minimum value is 5 minutes, and the maximum value is 30 minutes. Find tuning parameters in Secure Protection Settings > Advanced IPS > Tuning Parameters.
Note: Consider possible performance issues as you are choosing log evidence options. Log evidence options that are too general or too large affect performance.

How the log evidence works

All log evidence configurations work together to define the behavior of the log evidence feature.
Table 1. Log evidence configurations and appliance behaviors
Log evidence configuration Appliance behavior
Log evidence option in the policy
Determines the type of packet to capture when suspicious traffic triggers events. The appliance logs files to the /var/iss/ directory. You can retrieve log evidence files from Review Analysis and Diagnostics > Downloads > Logs and Packet Captures > Log Evidence.
  • None: The appliance captures no traffic.
  • Offending Packet: The appliance captures the suspicious traffic.
  • Connection: The appliance captures all traffic that matches the event protocol, source and destination address, source and destination port, or VLAN ID.
  • Interface: The appliance captures all traffic that passes through the specified interfaces.
  • All Interfaces: The appliance captures all traffic that passes through all interfaces.
Note: Connection, Interface, and All Interfaces are not available for the SNORT feature.

The appliance captures matching traffic for policy events according to the values set on the log evidence tab and by the log evidence tuning parameter.

Log evidence tab The appliance applies the maximum values configured on the tab to those packets that match the criteria set in the applicable policy.

If the packet capture meets any of the maximum values set on the tab, then the packet capture operation stops.

If the packet capture does not meet the maximum values set on the tab but it does meet the idle time limit set by the log evidence tuning parameter, then the packet capture operation stops.

Tuning parameter engine.logevidence.file.timeout The appliance applies the values set by the tuning parameter to the packets that match the criteria set in the applicable policy.

If the packet capture meets the idle time set in the tuning parameter, then the packet capture operation stops.

If the packet capture does not meet the idle time set by the tuning parameter but it does meet the maximum values set on the log evidence tab, then the packet capture operation stops.

Log evidence examples

Packet capture controlled by the log evidence tab
  • Log evidence values set:
    • Log evidence tab maximum values set
    • Log evidence tuning parameter set to 15 minutes
    • Policy log evidence option set to Connection
  • A suspicious event from an SSH session occurs
  • Appliance applies maximum values to the packet capture
  • Appliance captures all traffic that matches the connection
  • Appliance applies a time limit to the packet capture
  • Suspect connection traffic continues to occur for 12 minutes; however, it exceeds the number of packets per event maximum value
  • Appliance stops the packet capture, even though the connection traffic is still occurring and the packet capture file has not recorded for 15 minutes
  • Log evidence file is available for download from Review Analysis and Diagnostics > Downloads > Logs and Packet Captures
Packet capture controlled by the log evidence tuning parameter
  • Log evidence values set:
    • Log evidence tuning parameter set to 15 minutes
    • Log evidence tab maximum values set
    • Policy log evidence option set to Connection
  • A suspicious event from an SSH session occurs
  • Appliance applies time limit to the packet capture
  • Appliance applies maximum values to the packet capture
  • Appliance captures all traffic that matches the connection
  • Suspicious SSH session remains open but has not sent any packets for 15 minutes
  • Appliance stops the packet capture, even though the suspicious session remains open and the packet capture has not met any of the maximum values
  • Log evidence file is available for download from Review Analysis and Diagnostics > Downloads > Logs and Packet Captures