Configuring log evidence responses

Use the Log Evidence tab on the Responses page for the Network IPS appliance to log the summary of an event. The appliance copies the suspect packet and records information such as event name, event date, and event ID.

About this task

Navigating in the Network IPS Local Management Interface: Secure Protection Settings > Response Tuning > Responses

To retrieve log evidence files and rolling packet capture files, go to Review Analysis and Diagnostics > Downloads > Logs and Packet Captures.

Note: The appliance logs packets that trigger events to the /cache/packetlogger/logevidence/ directory. The files on the directory contain packets for a single capture and are stored by criteria that is set on this page.

Procedure

  1. Click the Log Evidence tab.
  2. Configure the following options:
    Option Description
    Maximum Files Specifies the maximum number of files the appliance stores in the directory for each event. The default is 1000.
    Note: When the log reaches the maximum file number, it continues with the sequenced number and overwrites the existing files.
    Maximum File Size (in KB) Specifies the maximum size allowed in the/var/iss/ directory. The default is 500.
    Maximum Number of Packets per Event Specifies the maximum number of packets per event the appliance stores in the directory. The default is 100.
    Packet Capture File Format Specifies the log file format as pcap or sniffer. The default is pcap.