Руководство Пользователя для Cisco Cisco Content Security Management Appliance M1070
14-2
Cisco IronPort AsyncOS 8.0 for Security Management User Guide
Chapter 14 Logging
Log Retrieval
Log files can be retrieved with the file transfer protocols described in
. You set the protocol
when you create or edit a log subscription in the GUI, or by using the
logconfig
command in the CLI.
Filename and Directory Structure
AsyncOS creates a directory for each log subscription based on the log name specified in the log
subscription. The filenames of logs in the directory consist of the filename specified in the log
subscription, the timestamp when the log file was started, and a single-character status code. The
following example shows the convention for the directory and filename:
subscription. The filenames of logs in the directory consist of the filename specified in the log
subscription, the timestamp when the log file was started, and a single-character status code. The
following example shows the convention for the directory and filename:
/<Log_Name>/<Log_Filename>.@<timestamp>.<statuscode>
Status codes may be
.c
(signifying “current”) or
.s
(signifying “saved”). You should only transfer log
files with the saved status.
Log Rollover and Transfer Schedule
When you create a log subscription, you specify the trigger(s) for when the logs roll over, the old file is
transferred, and a new log file is created.
transferred, and a new log file is created.
Choose between the following triggers:
•
File size
•
Time
–
At a specified interval (in seconds, minutes, hours, or days)
Follow the example on the screen when entering values.
To enter a composite interval, such as two-and-a-half hours, follow the example
2h30m
.
Table 14-1
Log Transfer Protocols
FTP Poll
With this type of file transfer, a remote FTP client accesses the Cisco IronPort appliance
to retrieve log files by using the user name and password of an administrator-level or
operator-level user. When configuring a log subscription to use the FTP poll method, you
must supply the maximum number of log files to retain. When the maximum number is
reached, the system deletes the oldest file.
to retrieve log files by using the user name and password of an administrator-level or
operator-level user. When configuring a log subscription to use the FTP poll method, you
must supply the maximum number of log files to retain. When the maximum number is
reached, the system deletes the oldest file.
FTP Push
With this type of file transfer, the Cisco IronPort appliance periodically pushes log files to
an FTP server on a remote computer. The subscription requires a user name, password, and
destination directory on the remote computer. Log files are transferred based on the
configured rollover schedule.
an FTP server on a remote computer. The subscription requires a user name, password, and
destination directory on the remote computer. Log files are transferred based on the
configured rollover schedule.
SCP Push
With this type of file transfer, the Cisco IronPort appliance periodically pushes log files to
an SCP server on a remote computer. This method requires an SSH SCP server on a remote
computer using the SSH2 protocol. The subscription requires a user name, SSH key, and
destination directory on the remote computer. Log files are transferred based on the
configured rollover schedule.
an SCP server on a remote computer. This method requires an SSH SCP server on a remote
computer using the SSH2 protocol. The subscription requires a user name, SSH key, and
destination directory on the remote computer. Log files are transferred based on the
configured rollover schedule.
Syslog
Push
Push
With this type of file transfer, the Cisco IronPort appliance sends log messages to a remote
syslog server. This method conforms to RFC 3164. You must submit a hostname for the
syslog server and use either UDP or TCP for log transmission. The port used is 514. A
facility can be selected for the log; however, a default for the log type is preselected in the
drop-down menu. Only text-based logs can be transferred using syslog push.
syslog server. This method conforms to RFC 3164. You must submit a hostname for the
syslog server and use either UDP or TCP for log transmission. The port used is 514. A
facility can be selected for the log; however, a default for the log type is preselected in the
drop-down menu. Only text-based logs can be transferred using syslog push.