Cannot set C2 Audit log larger then 100 MB

Technote (FAQ)


Question

When Server Sensor manages the C2 audit log, why will it not create a log greater than 100MB?

Answer

Server sensor has a limit of 99 MB for the C2 audit log . This is stated in the user guide on PG 109:
http://pic.dhe.ibm.com/infocenter/sprotect/v2r8m0/topic/com.ibm.legacy.doc/RS_SvrSensor_PG_7.0.pdf

Pg 110 also talks about adding "sensor.noc2logsizelimit" to the policy of the sensor to disable BSM handling if you want the BSM log to grow larger then 99MB. If you want to disable this on just a few sensors you can add that to the properties of each sensor in the Agent view in the console under the Advanced Parameters tab. If you want to apply this to multiple sensors you want to put this in the sensor policy by following these instructions:

  1. Open the policy you want to customize.
  2. On the Network Events tab, select any group of signatures.
  3. Click Tuning.
  4. Do you see the sensor.noc2logsizelimit parameter in the table?
    • If yes, select the parameter, click Edit, and then go to Step 6.
    • If no, click Add. Important: If you enter conflicting or duplicate tuning parameters, the parameter entered last overrides the parameter entered first.
  5. In the Name box, type the parameter name, sensor.noc2logsizelimit. Note: Any typographical errors will render the parameter unusable.
  6. In the Type box, select Boolean.
  7. In the Value box, select true to disable sensor management of the log.
  8. In the Description box, type a descriptive comment for this parameter.
  9. Click OK. The tuning parameter with the new setting is listed in the parameters table.
  10. Click OK.
  11. Save the changed policy, and then apply the policy to the sensor.

Note: If you use the sensor.noc2logsizelimit parameter there is a bug in SR 4.4 where a reboot will not reapply this parameter until you re-apply the policy. To address this please download patch 7.0.44.3-TIV-RSS-Solaris-IF003.zip from Fix central ( http://www-933.ibm.com/support/fixcentral/).


If the above information does not resolve your issue, please contact IBM Security Systems Customer Support.

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

IBM Security Host Protection

Software version:

7.0 - SR 4.4

Operating system(s):

AIX, HP-UX

Reference #:

1633471

Modified date:

2013-07-01

Translate my page

Machine Translation

Content navigation