C-52
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Appendix C Troubleshooting
Troubleshooting the Appliance
b. Set [drain/main] type=syslog
The following example shows the logging configuration file:
timemode=local
;timemode=utc
[logApp]
;enabled=true
;-------- FIFO parameters --------
fifoName=logAppFifo
fifoSizeInK=240
;-------- logApp zone and drain parameters --------
zoneAndDrainName=logApp
fileName=main.log
fileMaxSizeInK=500
[zone/Cid]
severity=warning
drain=main
[zone/IdsEventStore]
severity=debug
drain=main
[drain/main]
type=syslog
The syslog output is sent to the syslog facility local6 with the following correspondence to syslog
message priorities:
LOG_DEBUG, // debug
LOG_INFO, // timing
LOG_WARNING, // warning
LOG_ERR, // error
LOG_CRIT // fatal
Note Make sure that your /etc/syslog.conf has that facility enabled at the proper priority.
Caution The syslog is much slower than logApp (about 50 messages per second as opposed to 1000 or so). We
recommend that you enable debug severity on one zone at a time.
TCP Reset Not Occurring for a Signature
Note There is only one sensing interface on the ASA IPS modules (ASA 5500 AIP SSM,
ASA 5500-X IPS SSP, and ASA 5585-X IPS SSP), so you cannot designate an alternate TCP reset
interface.