The ips collect-attack-evidence rule command configures an IPS global evidence collection rule.
The undo ips collect-attack-evidence rule command deletes an IPS global evidence collection rule
| Parameter | Description | Value |
|---|---|---|
text |
Specifies the evidence collection field of a global evidence collection rule. |
The value is a character string in format of log:Field 1,Field 2,...;. A maximum of eight fields can be configured. For details about the evidence collection fields and syntax rules that can be configured, see Online Syntax Manual. |
By default, no IPS global evidence collection rule is configured.
Usage Scenario
Using the ips collect-attack-evidence rule command, you can configure an IPS global evidence collection rule. Then the IPS global evidence collection function takes effect. When malicious traffic matches the signature, the device extracts the configured evidence collection fields from the malicious traffic. The evidence collection fields are carried in IPS logs and sent to the log server or displayed in View Threat Log Details of threat logs on the web UI.
Prerequisites
You need to run the ips log extend enable command to enable the extended information output function of IPS logs so that IPS logs can carry extended information such as the global evidence collection field. If this function is disabled, IPS global evidence collection cannot be performed.
Follow-up Procedure