IDS MC v1.1.1 / sensor v4.0 (2) S42 - deployment Config fails

Similar Questions

• Signature update by group MC IDS?

  I just changed to the top in the world of CSPM IDS MC on virtual computers. Nice interface, but is there not a way to create a signature that I can apply to a set of sensors? Part of the reason why you have a center console is to enable management group (I thought)... and same CSPM had this.

  -James

  Copy the signature on all sensors ids by using the copy command. Then build and deploy on all sensors. You can do the same for filter etc.

• Machines virtual 1.1 how update you the Signatures IDS MC?

  Help!

  Got CW VMS 1.1 and a couple of 4250 IDS boxes, they perform signatures to 3.1.3 (s42), when I try to add them to the MC in SMV (so I can then update sigs) he advises that GIS version is unknown and that I should update the signatures of MC.

  I downloaded IDSk9-GIS - 3.1 - 3 - S49 and placed in the directory of the ID updates within MC, I chose this file to update the MC, but it does not appear to do.

  Once the file is selected and I get th text box informing them that it will be applied, I select continue and he returned to the page "select the file.

  Check the audit log it shows the update is started and finished in the same second period and I still can't import/add the ID of the probes.

  Pointers would be most appreciated.

  Ian,

  I know this sounds illogical, but you must download and apply the update to 3.1.3 (s42) .zip to your Inbox to IDS MC. Problems with updates of the IDS MC, it's that there is no way for the MC to say what GIS have been added as part of S42, S45, S49, etc... Thus, avoid us confusion in the minds of the MC by not letting you add a sensor that has a version of GIS that is unknown to the MC. Once you apply update S43 to MC, add sensors. Then, go back and re-apply the update S49 and you should be the option Update sensors as well this time. Good luck and I hope this helps.

  Scott

• Signature ID updates

  When I update my sensors IDS using the IDS MC 3 of my 4 probes hang. They don't ever restart all services. When I telnet to them I get the message "error: cannot communicate with system processes.» Please contact your administrative system

  nistrator. ». The IDS MC progress veiwer shows 100% but with errors. His mistakes are: sensor Int_IDS1: Signature Update process

  An error has occurred during execution of the script of update on the sensor that is named Int_IDS1. Detail = RDEP a communication error occurred during the update. Exception message = org.apache.commons.httpclient.HttpRecoverableException: error in the analysis of the status of the response line: could not find the line beginning with "HTTP".

  A sensor works very well without any problems.

  I tried upgrading the sensors individually through IDSMC and 3 even fail with the error message. I tried to make it through the command line and ftp and even failure 3. The 3 sensors that fail are 4235, and the successful sersor is a 4250 XL.

  If you are not running the patch 'f' on your sensors, 4.1.4(f), you must download and install this hotfix. It corrects insufficient memory on the upgrade issues that are very likely the cause of your problem.

  The location of the hotfix is released in another thread.

• backup procedure

  Hello

  How can I make a backup for the parameters of the signatures on the network sensor 4210? So, if my sensor lost settings (what is for, which is on the block), how can I put in minimum time?

  Best regards

  MAHENDER Sorin

  If you use a company like CSPM management tool, administrator Unix or the new IDS (in SMV 2.1) Management Center, the configurations are stored in the database of the tool.

  You simply reset (or even recreate the image on the sensor) with sensor sysconfig.

  Then push the configuration of the management station to the probe.

  If you use IDM and VEI in a small deployment (less than 3 sensors) then you can simply copy the different configuration files located in the directory/usr/nr/etc/on another box whenever you want to make a backup.

  If your sensor is corrupted simply recreating you the image, and then run sysconfig-sensor to reset all network settings.

  Once your sensor network is reset then just ftp on the computer containing the old configuration files and move back them to the sensor.

  Run then nrstop and nrstart to start to use the old configuration files.

  NOTE: If you re - the image sensor, make sure to run the sysconfig-different sensor options before demolishing the old config files. Not all information in sysconfig-sensor is shot directly into the config files.

  For a list of configuration files that you want to backup refers to:

  http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/csids/0866_02.htm#xtocid21

• official service problem

  Nice day.

  I have bougth my z3c this winter. in July, I noticed that the front screen on my sony is 'off '.

  There was a thin gap between the body and the screen. Unfortunately, I did not a picture of him. And, obiviously, my phone lost features waterproof to the water.

  So, I took my phone to the official service. Two or three weeks later, they called me and said, that the phone is ready, it is completely repaired.

  Servise, I checked a pressure sensor in the service menu and result failed completely. Numbers have not changed while I pressed the screen.

  Resumed service center phone and a few days later, they called again and said, the phone is ready.

  For evidence, they showed me two screensots (see below), BUT! control of working pressure sensor failed again! Numbers hold again, when I pressed the screen.

  

  

  An operator on a Sony hotline tries to make sure that everything is OK, my phone is completely repaired, but I doubt. Mainly because of the FAILURE of the pressure sensor tests.

  So please, dear Admins, tell me, I can trust my official service center? This software (on a screenshots) really exists, and I can stop paying my attention to Menu Service check results?

  Sorry for my English.

  As Jean-Claude says, this menu does not negate your warranty.

  What, in my view, that they wanted to say, is that this menu is not intended for end users.

• IDSM2 in inline mode

  Hi all

  There are 2 VLANS configured in the switch of 7600 namely 200 and 300. In order to make the switch to pass these traffic vlan by JOINT (IPS inline mode), the following was configured.intrusion - detection module 2 ports data 1 trunk allowed - vlan 200 300. Apart from that, are there any requirements for the same thing. The IOS in the 7600 switch is 12.2 (18) SXF4.

  Thanking you

  Anantha Subramanian Natarajan

  You can have up to 255 pairs of vlan on Gig0/7 (date-port 1) and a 255 vlan pairs on concert 0/8 (data-port 2).

  But be aware that with version 5.0/5.1 on JOINT 2 JOINT-2 will deal with all these pairs as if they were on the same network. This can lead to confusion on the sensor if the packets are routed and run through 2 or more pairs of vlan inline.

  So if you are going to deploy in situations where routing could cause packets go through more than one pair of vlan inline then I recommend you to run the IPS version 6.0.

  IPS 6.0 can support up to 4 virtual devices. You can have a different configuration of the peg and filter in each virtual sensor.

  If a single deployment of 4 pairs of vlan online you can place a pair of vlan inline in each of the 4 virtual sensors.

  If you deployed more than 4 virtual probe, there was also an additional feature added to IPS 6.0 help manipulate it.

  http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/csids/csids13/cliguide/clianeng.htm#wp1038004

  You must set the Session TCP tracking Mode "Vlan only" or "Interface and Vlan" and say this track JOINT-2 the TCP Sessions only by pair of vlan inline and avoid the problem with 5.0/5.1.

  Pair Interface InLine mode is very similar to the pair of Vlan InLine. It will pair 2 VLANS.

  The difference is in how to obtain VLAN paired.

  Mode Inline Interface pair you would 0/7 and 8/0 (data port 1 and 2) to access the ports. Each port would be for just a single vlan. Place you 0/7 on a vlan of the pair and place of 0/8 on the second VLAN of the pair. The JOINT-2 would then monitor the traffic between the 2 VLAN just as it does InLine Vlan pair mode. But instead of passed back and forth on 2 VLAN of a single trunk port, they went back between the 2 access ports.

  Since it's access ports, you are limited to only one set of VLANS when you InLine Interface pair mode. While InLine Vlan pair gives you up to 510 vlan pairs.

  So I do not recommend using InLine Interface on JOINT-2 pair Mode.

  FYI: even if it has an advantage when running on a device. And the device can connect between 2 switches (a JOINT-2 can not because it is inside the switch). In this respect between the 2 switches trunk can carry 4094 VLANS. So place a device pair InLine INterface mode between 2 switches in a trunk port has some advantages.

• Questions of pre-installation on IPS on Cisco ASA Cluster

  Hello

  I'm looking for some configuration directives and IPS.

  I have a Cisco ASA Cluster with an IPS Module and I would like to know the best way to go about setting it up.

  We have a customer who requires their web servers to be protected with the IPS Module.  I have the following questions:

  1. is it possible to install the IPS in learning mode type to see what kind of traffic is hitting?

  2. can you syslog alerts?

  3. is it possible to use snmp around alert also interrupts?

  4. If you put it in promiscuous mode (SDI) what it means when you receive an alert about a possible attack, an administrator must log on the

  Firewall and block traffic if they choose to do so?  Is it possible for an administrator to block traffic (or leave if his)

  a false positive in IPS) without having to connect to the ASDM?  If you have a scenario where you don't want to give users access to

  the firewall, what is the best way to go about this?

  5. is it possible to set up an alert that if this is a DDOS email alert, if it's a handshake of split then just syslog alert?

  6. I'm afraid that if I put it with a profile he can start blocking valid traffic.  What is the best way to start with IPS to protect

  a server?

  7 if its possible to syslog, what kind of detail is the capture of syslog?  Need name attack, etc.?

  A lot of questions!  I hope someone can help

  Thanks a mill

  1. is it possible to install the IPS in learning mode type to see what kind of traffic is hitting?

  Yes. There are several ways to do this, but the easiest way is to put the sensor in promiscuous mode (in the config of the ASA)

  2. can you syslog alerts?

  N ° the cisco IPS OS doesn't support syslog.

  3. is it possible to use snmp around alert also interrupts?

  Yes. But you must set the 'action' on each signature that you want to send a trap.

  4. If you put it in promiscuous mode (SDI) what it means when you receive an alert about a possible attack, an administrator must log on the

  Firewall and block traffic if they choose to do so?  Is it possible for an administrator to block traffic (or leave if his)

  a false positive in IPS) without having to connect to the ASDM?  If you have a scenario where you don't want to give users access to

  the firewall, what is the best way to go about this?

  Who should perform the analysis of IPS events have generally sufficient privilege and access to make any changes necessary to your firewall security and IPS sensors. It takes time, knowledge and skills for the analysis of the IPS. Most customer do not have the resources to do the job that you describe.

  5. is it possible to set up an alert that if this is a DDOS email alert, if it's a handshake of split then just syslog alert?

  No syslog. You can set alerts email on a per-signature basis.

  6. I'm afraid that if I put it with a profile he can start blocking valid traffic.  What is the best way to start with IPS to protect

  a server?

  Start in "Promiscuous" mode and see what hit the signatures. Investigate them, adjust your false positive until you have a tight game, an action of signatures. Then switch to online mode.

  7 if its possible to syslog, what kind of detail is the capture of syslog?  Need name attack, etc.?

  No syslog.

  -Bob

• Memory and the use of the disc on my IDS 4235 sensor & 4250.

  My ID sensor memory usage shows a use of 99%, and the hard drive is already 5 of the 15 Gig. Here is the log of "seeing the worm."

  With the help of 398913536 of 1980493824 memory available bytes (99% of use)

  With the help of 5 of the 15 bytes of disk space available (66% of use)

  -only the signature of med and high seriousness is enabled. Why the sensor used this memory?

  -Is this the sensor has IDS to a database that stores the logs which causes the hard drive used space? (considering that she has the management of the IDM)

  - Or any other reason why the hard drive used whereas the large drive space is new and operating time is 2 months?

  -Update of the signature file is adults who took over this large space on the HARD drive?

  Hope - could someone give me an idea why is it so.

  As I said earlier, there is not a problem with the use of disk space. Memory usage bug is fixed in the 5.X product not 4.X. However, there are some good bug fixes in the patch of engineering 4.1(4g).

  The number of real memory usage can be determined from the service account by entering the following command:

  Bash-2, $05 free

  total used free shared buffers cached

  MEM: 1934076 1424896 509180 0 18284 1214536

  -/ + buffers/cache: 192076 1742000

  Swap: 522072 0 522072

  The "Mem:" line and the column 'pre-owned' is the amount of memory (in kilobytes) that

  the command reports "show version". However, this total includes the

  amount 'caching '.

  So in the example above, the actual memory used is (1424896-1214536), or

  210360 KB. It is (210360 / 1934076 * 100), or 10.9% of total memory.

• Network IDS Sensor/system and retrieval of Images

  Ok.. on this page:

  http://www.Cisco.com/Kobayashi/SW-Center/ciscosecure/IDs/crypto/

  Objective: I want to burn an image from the Images "system and recovering" rather than order a CD from recovery for IDS.

  Issues related to the:

  1 is it possible or not that you must order the recovery CD?

  2. I see that the files under 'System and recovery Images' are in the format tar.pkg. Is this based on Linux or Solaris? Can I use Red Hat Linux to extract this file and then burn it to a CD?

  3. If so, is - anyone know how to extract the file?

  -TKS.

  Answers:

  (1) No, you must order the recovery CD.

  (2) there are 2 types of files: System and recovery.

  The system Images (- sys-) are used only for the installation of sensors that support ROMMON (like the 4215 IDS, IPS-4240 and IPS-4255). The sensors supporting ROMMON have no CDROM drives, and so the image must be tftpd to the sensor through ROMMON.

  System Images are used for recovery after disaster where the compactflash/hard disk from the sensor has been severely damaged or a new white compactflash/hard disk was placed in the sensor.

  Recovery (r) - Inages updated only the probe recovery Partition. They must be installed from a running Application Partition. The .pkg is a special Cisco IDS application-specific extension. There are special methods for unpacking and installation of the unerlying files.

  In ordinary situations the user will constantly update their software to sensor by the normal process of upgrade using large updates (- shift-), minor updates (- min-), Service Pack (sp) - or Signature updates (-- GIS).

  It isn't that where the effective Partition becomes corrupt that a user must always start on the recovery Partition and load a new Partition of Application.

  Most of the users will never update their recovery Partition. Thus, users who have purchased the IDS-4235 for example with the 4.0 software (1) will be a 4.0 (1) recovery Image. If they later upgraded to 4.1 (1) and the experience of corruption then they can always start the recovery Partition and reload 4.0 (1). If they do not want to return to 4.0 (1) provide us a recovery Image to update the Partition recovery to 4.1 (1).

  The only time wherever a recovery CD is really necessary is when the user goes from 3.x, 4.x, because of the drastic change between the 2 versions, or if the recovery Partition has also been damaged, or if you use a blank hard drive.

  3.

  I don't think the recovery or System Images contains the files needed to create a recovery CD. If I just remember additional files have been added to the recovery CD to make it bootable, which were not necessary on the system image or recovery since they were based on a sensor that was already underway.

• Memory required for the upgrade of IDS Sensor 4.1 (5) to 5.0 (IPS)

  pls tell me the desired memory minimum for the sensor IDS version 4.1 upgrade (5) to version 5.0 (IPS)

  Detectors of the series 4200 ID must be at least 512 MB for this upgrade to 5.0.

  Read the release notes for more information:

  http://www.Cisco.com/en/us/products/HW/vpndevc/PS4077/prod_release_note09186a008045ab52.html

  I hope this helps. all the best... the rate of responses if deemed useful...

  Concerning

  REDA

• Problem when adding a sensor to IDS MC

  Hi all

  Any body has encountered the problem I'm facing here? I add 4 sensors to my MC IDS (2.2) and I get an error message when I tried to add the third argument, I clicked on (see the message) and I got the output attached... Please tell us how can I troubleshoot/fix this problem...

  Appreciate your cooperation...

  Concerning

  Regenerate the certificate of the probe. Usually, it is because the certificate of the probe has expired. Then return to IPS MC and add the sensor.

  For sensor 5.x through IDM:

  Configuration > Configuration sensor > Certificates > certificate server

  Click on generate the certificate

  For sensor 4.x through IDM:

  Device > sensor configuration > certificate > generate certificate of host

  Click on apply for sensor

• IDS Sensor clock display inconsistencies?

  Hi all

  don't know if anyone has found it before. When I connect to my sensors IDS via SSH using a standard account the command "show clock" gives me an answer an hour earlier than planned. The sensor is configured to use NTP, and I suspected that the problem is with the summertime daylight savings settings.

  However, isn't there it gets a little confused: when I connect the sensor using the service account (Linux OS), the system time seems to be OK.

  I tried to take the ntp server to the equation with little success. What tends to happen is that when I enter in a time maunually, it sill subtracts an hour? (for example I go to 14:00 and "show clock" tells me that the time is 13:00) The impression I get is that the sensor is not analyzed properly advanced economy settings.

  Another question in this regard is that the Zone name and the names of the DST Zone are of importance or are they simply focus on naming variables? We are located in Sydney, Australia, so I smply Mater WAS for both. Thanks in advance.

  There is a bug in DDT cisco written against this problem:

  CSCed61826 - IDS summer time / dst incorrect show for the area of the southern hemisphere

  Description:

  If you have installed summertime (spanning the new year) and

  your time is during the summer AND past January 1, then

  on/off time are in error was calculated for the following

  Summertime (the following year).

  Please find below the result

  to see the clock det before reboot and after reboot.

  Before the reset:

  4215-1 # sh clock det

  * 12:53:01 AEDST Sunday, February 1, 2004

  No time source

  Daylight saving time starts at 03:00 AEDST Sunday, October 5, 2003

  DST ends at 01:00 EAST Tuesday, March 30, 2004

  After the reset and ID is:

  4215-1 # sh clock det

  * 01: 55:53 UTC Sunday, February 1, 2004

  No time source

  Daylight saving time starts at 03:00 AEDST Sunday, October 3, 2004

  DST ends at 01:00 EAST Monday, March 28, 2005

  (SEE here it's show WAS instead of AEDST, and it seems

  to be moved to the new year because summer time start and stop

  2004 and 2005 already, instead of the supposed 2003 to 2004 yet)

  4215-1 # sh clock det

  * 11: 56:27 EAST Sunday, February 1, 2004

  No time source

  Daylight saving time starts at 03:00 AEDST Sunday, October 3, 2004

  DST ends at 01:00 EAST Monday, March 28, 2005

  (For that to be fixed I have to make the system get the sorrect)

  Summert-start and stop years 2003 and 2004, then he would get

  February corrected again to AEDST)

  4215-1 # clock set 13:18 November 1, 2003

  4215-1 # sh clock det

  * 12:18:02 WAS Saturday, November 1, 2003

  No time source

  Daylight saving time starts at 03:00 AEDST Sunday, October 5, 2003

  DST ends at 01:00 EAST Tuesday, March 30, 2004

  4215-1 # clock set 13:18 February 3, 2004

  4215-1 # sh clock det

  * 13:18:01 am AEDST on Tuesday, February 3, 2004

  No time source

  Daylight saving time starts at 03:00 AEDST Sunday, October 5, 2003

  DST ends at 01:00 EAST Tuesday, March 30, 2004

  4215 1 #.

  In addition, if I play then with clock as I do November

  2004, then DST moves for 2004-2005, once again, and if I come back

  for February, then he would show as WAS once again, not AEDST.

  4215-1 # clock set 13:18 November 1, 2004

  4215-1 # sh clock det

  * 12:18:03 WAS Monday, November 1, 2004

  No time source

  Daylight saving time starts at 03:00 AEDST Sunday, October 3, 2004

  DST ends at 01:00 EAST Monday, March 28, 2005

  4215-1 # clock set 13:18 February 3, 2004

  4215-1 # sh clock det

  * 12:18:02 WAS Tuesday, February 3, 2004

  No time source

  Daylight saving time starts at 03:00 AEDST Sunday, October 3, 2004

  DST ends at 01:00 EAST Monday, March 28, 2005

  4215 1 #.

  workaround solution:

  If configure you summertime (spanning the new year) and your current time is summer

  period AND after January 1, then the summer start/stop times are calculated in error for the

  following summertime (the following year).

  In Australia, the summer time is start Oct, and stop on March.

  In February 2004, it should now be summer time "AEDST" Tuesday, February 3, 2004.

  Show clock retail should have something close to

  Daylight saving time starts at 03:00 AEDST Sunday, October 5, 2003

  DST ends at 01:00 EAST Tuesday, March 30, 2004.

  However, if the show clock detail shows DST next years:

  Daylight saving time starts at 03:00 AEDST Sunday, October 3, 2004

  DST ends at 01:00 EAST Monday, March 28, 2005

  Then February would not show the correct time

  "GMT" Tuesday, February 3, 2004

  We can try to correct information in time making you temporarily a year back and in the summer

  period of time, then correct the time again.

  for example:

  4215-1 # clock set 13:18 November 1, 2003

  4215-1 # sh clock det

  * 12:18:02 WAS Saturday, November 1, 2003

  No time source

  Daylight saving time starts at 03:00 AEDST Sunday, October 5, 2003

  DST ends at 01:00 EAST Tuesday, March 30, 2004

  4215-1 # clock set 13:18 February 3, 2004

  4215-1 # sh clock det

  * 13:18:01 "AEDST" Tuesday, February 3, 2004

  No time source

  Daylight saving time starts at 03:00 AEDST Sunday, October 5, 2003

  DST ends at 01:00 EAST Tuesday, March 30, 2004

• Sensor not known version of the IDS MC

  The system IDS 4215 sensor is version: 1.0000 S47. The MC of the IDS (version 1.2) does not have this version and recommends an update of the signature.

  I downloaded the file IDS-K9-min-4.1-1-S47.rpm.pkg to the web site of Cisco and attempt to update the signature in accordance with the instructions in the ReadMe file.

  I received the following message:

  "Failed to update the object. The provided update package seems to be corrupted, or refused permission to read the file. Please check the contents of the update package and try the operation again. »

  I checked the downloaded file's MD5 signature, and it's OK. I tried to download the file again and I got truncated versions (size about 256 KB).

  I use the correct file? How can I get the correct version of the file? Am I missing any parameter?

  Thank you for your help.

  What you have is the package of real update to the sensor itself. If you use MC to push updates, you need the package from the following location:

  http://www.cisco.com/cgi-bin/Software/Tablebuild/doftp.pl?ftpfile=cisco/crypto/3DES/cw2000/mgmt-ctr/ids/ids4updates/IDS-K9-min-4.1-1-S47.zip&swtype=FCS&software_products_url=%2Fcgi-bin%2Ftablebuild.pl%2Fmgmt-ctr-ids-ids4updates&isChild=&appName=&tbtype=mgmt-ctr-ids-ids4updates

  It contains the files needed for the update of MC and the real update package will be pushed to the sensor.

• The system IDS 4215 sensor no IPLogs

  Can someone enlighten me please?

  I have configured a sensor 4215 running the latest version 4 of the software & signatures.

  I have configure the sensor to use a Pix to help fleeing, the configuration worked for more than a week and I chose some to block on signatures and it works and I can see guests in the red list.

  My problem is that under , there is no listed log files,

  Is this correct?

  In version 3 on a 4210 sensor there are several listed log files, these are downloadable on my local machine, where as soon as I could import them in event IDS Viewer and display all events, this is no longer how it's done in version 4?

  What I can do under , is see the list of events that have been posted through the web page of IDM.

  Any help would be greatly appreciated.

  Concerning

  Mark

  First of all, I think that there is some confusion between the IP logs and alarms logs.

  There are 2 types of log files in version 3.x.

  The traditional log file which contained alarms in a comma delimited format that can be imported into VEI.

  The second was an IP trail which was a log of the actual binary packages that have been observed after the signing of fire.

  The action of "log" on the signature would result in the creation of a file of Log of IP and had nothing to do with or no alarm was recorded in the comma-delimited log file.

  Logging of alarms in the comma-delimited log file was controlled by will loggerd has been enabled on the sensor and if loggerd has been installed as a destination for messages in the destination file.

  In version 3.x, you might download individual logs to your own PC files and open them in IEV or load them into your own database.

  In version 4.x is therefore more the concept of individual alarms for files and the log of the IP on the sensor data.

  The alarm logs have been replaced by a circular buffer called eventStore. It can be compared to a large circular database. The eventStore is 4 GB in size and when it is full will begin to overwrite the oldest alarms with the most recent alarms.

  IP logs have been replaced by a similar circular storage for the journal of intellectual property data.

  The data of the alarm in version 4.x cannot be FTP'd the sensor as a diary of the alarm.

  Instead, you have two options:

  (1) use IDM to query the eventstore and pull the alarms that match some criteria. You can then view messages in plain text format.

  (2) use the command "Show events" CLI to do the same thing as IDM can do.

  3) contact Cisco TAC and ask for RDEP specification which provides the syntax for you to create your own queries to plug into the sensor and fire alarms in a raw XML format that you can then load into your own database.

  (4) If you are a user of VEI then the 4.x VEI has the ability to pull older alarms of the probe.

  http://www.Cisco.com/univercd/CC/TD/doc/product/iaabu/csids/csids10/idmiev/swchap6.htm#604023

  In the device properties simply, with the older start time and VEI will automatically extract in these earlier events of the sensor.

  NOTE: It is not a function import that can import plain text or events XML you would see options 1, 2 or 3 above. SO if you want to see in VEI then use option 4.

  Now for iplogs they can be FTP'd to the sensor using the command copy. But iplogs are the binary packet data and not a list of alarms. They are created only when the action of "log" is selected.

  NOTE: IP logging consumes resources sensor and can slow down the performance of the sensor. It is not necessary to IP Log an alarm to see the alarm itself VEI or other management positions. If the action of "journal" that should rarely be used when the binary packet data are necessary.