Configuring log evidence responses

Use the Log Evidence tab to log the summary of an event. The appliance copies the suspect packet and records information such as event name, event date, and event ID.

About this task

Navigating in IPS Local Management Interface: Secure Protection Settings > Response Tuning > Responses

To retrieve log evidence files and rolling packet capture files go to Review Analysis and Diagnostics > Downloads > Logs and Packet Captures.

Note: The appliance logs packets that trigger events to the /cache/packetlogger/logevidence/ directory. The files on the directory contain packets for a single capture and are stored according to the criteria set on this page.
Procedure
  1. Click the Log Evidence tab.
  2. Configure the following options:
    Option Description
    Maximum Files Specifies the maximum number of files the appliance stores in the directory for all events. The default is 1000.
    Note: When the log reaches the maximum file number, it begins again with zero (0) and overwrites the existing files.
    Maximum File Size (in KB) Specifies the maximum size allowed in the/var/iss/ directory. The default is 500.
    Maximum Number of Packets per Event Specifies the maximum number of packets per event the appliance stores in the directory. The default is 100.
    Packet Capture File Format Specifies the log file format. The default is pcap.
    Note: Choose pcap or sniffer.