topic Hi,Event Critical : Lets you in Network Security

Event Retrieval Issue

c1szhibin — Sun, 10 Mar 2019 13:23:26 GMT

I noticed that the sensor health on IPS showing "Critical".

And I clicked for the details, it showed the event retrieval is critical and not retrieved now. I don't know what does that mean.

Can anyone tell me what causes this information and how to fix it?

Hi,Event Critical : Lets you

Akshay Rastogi — Wed, 03 Jun 2015 02:49:55 GMT

Hi,

Event Critical : Lets you set a threshold for when the last event was retrieved and whether this metric is applied to the overall sensor health rating.

http://www.cisco.com/c/en/us/td/docs/security/ips/7-0/configuration/guide/idm/idmguide7/idm_sensor_management.html#wpxref98287

This health parameter allows us to set a threshold for when the last event was retrieved from the sensor. The health status is degraded to yellow or red depending on the time interval that has been configured for corresponding thresholds. The range of threshold is 0 to 4294967295 seconds.

Check the show tech from the IPS/AIP and search for “Health Status for the Time Since Last Event Retrieval”, it should be showing RED as well. As we know IDM cannot pull events from the IPS/AIP directly and we will need IME for that, so if the events were not polled for an amount of time (default of 300 for yellow status) and (default of 600 sec for RED), the event status will change colors.

So it's either Event Retrieval is enabled and the IME is not installed, hence no events are being polled, then this error can be ignored and the event polling can be disabled safely (un-check the Event Retrieval checkbox), OR the IME is not operating as it should and there might be communication issue between the device and the IME.

Or if it is giving a certificate error or something check 'show version and see if the Host certificate has expired(mentioned at last of show version). If yes, then run the command 'tls generate-key'.

Please let me know if you have any query on this.

Regards,

Akshay Rastogi

After I run the command "tls

c1szhibin — Thu, 11 Jun 2015 07:27:18 GMT

After I run the command "tls generate-key" , the notification still exists.

Hi,Are are getting this

Akshay Rastogi — Thu, 11 Jun 2015 08:14:12 GMT

Hi,

Are are getting this Critical on IDM or IME? as i have mentioned in the last reply that the IDM would show this Event as Critical as it does not pull Events from IPS directly and it need IME to do so.

Regards,

Akshay Rastogi

I think it's on IDM. There is

c1szhibin — Mon, 15 Jun 2015 05:41:43 GMT

I think it's on IDM. There is only one IPS running.

Hi,

Akshay Rastogi — Mon, 15 Jun 2015 11:13:44 GMT

Hi,

In that case, this Event Retrieval can be ignored as mentioned in the last Reply. You need IME to pull Events. It is not causing any issue.

 As we know IDM cannot pull events from the IPS/AIP directly and we will need IME for that, so if the events were not polled for an amount of time (default of 300 for yellow status) and (default of 600 sec for RED), the event status will change colors.

So it's either Event Retrieval is enabled and the IME is not installed, hence no events are being polled, then this error can be ignored and the event polling can be disabled safely (un-check the Event Retrieval checkbox), OR the IME is not operating as it should and there might be communication issue between the device and the IME.

Please let me know if you have any further query on this. If this answers your query, I would request you to select the appropriate response as the solution for this thread.

Regards.

Akshay Rastogi

Thank you for ur kindness.

c1szhibin — Mon, 29 Jun 2015 08:50:45 GMT

Thank you for ur kindness. After what u said, the following is my solution.

Configuration -> IPS -> Sensor Management -> Sensor Health

no tick the box of “Event Retreval”