12-3
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 12 Configuring IP Logging
Configuring Manual IP Logging for a Specific IP Address
Configuring Automatic IP Logging
To configure automatic IP logging parameters, follow these steps:
Step 1 Log in to the CLI using an account with administrator or operator privileges.
Step 2 Enter signature definition IP log configuration submode.
sensor# configure terminal
sensor(config)# service signature-definition sig0
sensor(config-sig)# ip-log
Step 3 Specify the number of packets you want the sensor to log. The range is 0 to 65535.
sensor(config-sig-ip)# ip-log-packets 200
Step 4 Specify the duration in seconds you want the sensor to log packets. The range is 30 to 300 seconds.
sensor(config-sig-ip)# ip-log-time 60
Step 5 Specify the number of bytes you want logged. The range is 0 to 2147483647.
sensor(config-sig-ip)# ip-log-bytes 5024
Step 6 Verify the settings.
sensor(config-sig-ip)# show settings
ip-log
-----------------------------------------------
ip-log-packets: 200 default: 0
ip-log-time: 60 default: 30
ip-log-bytes: 5024 default: 0
-----------------------------------------------
sensor(config-sig-ip)#
Step 7 Exit IP logging submode.
sensor(config-sig-ip)# exit
sensor(config-sig)# exit
Apply Changes?:[yes]:
Step 8 Press Enter to apply the changes or type no to discard the changes.
For More Information
• To copy and view an IP log file, see Copying IP Log Files to Be Viewed, page 12-7.
• For more information on event actions, see Assigning Actions to Signatures, page 8-15 and
Configuring Event Action Overrides, page 7-17.
Configuring Manual IP Logging for a Specific IP Address
Use the iplog name ip_address [duration minutes] [packets numPackets] [bytes numBytes] command
to log IP packets manually on a virtual sensor for a specific IP address. The following options apply:
• name—Specifies the virtual sensor on which to begin and end logging.
• ip_address—Logs packets containing the specified source and/or destination IP address.
• minutes—Specifies the duration the logging should be active. The valid range is 1 to 60 minutes.
The default is 10 minutes.