topic How to configure syslog on the following IPS module ? in Network Security

How to configure syslog on the following IPS module ?

Saurabh Srivastava — Sun, 10 Mar 2019 12:52:01 GMT

Hi All,

We have IPS modules (ASA-SSM-10) which is installed in Cisco ASA firewall (5520) and i want to integrated the module in RSA Envision log management server. Please confirm if these can be integrated in Envision and how? I am able to recieve Cisco ASA logs by enabling loggin on the box. I need to send logs from this sensor.

Below are the module details--

Platform: ASA-SSM-10
Build Version: 7.0(4)E4

Os Version: 2.4.30-IDS-smp-bigphys
Can anybody advise me on this

Regards,

Saurabh Srivastava

How to configure syslog on the following IPS module ?

Rafael Mendes — Thu, 10 Jan 2013 16:21:52 GMT

You can send the log messages to your SIEN using SNMP Traps.

See the DOC: http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cliguide7.html

How to configure syslog on the following IPS module ?

JonPBerbee — Thu, 10 Jan 2013 18:17:05 GMT

RSA enVision can be configured to pull these logs using the Cisco's SDEE protocol.

You need to allow the enVision server to connect to the IPS through an access-list entry in "service host\network-settings" on the CLI.

From enVision you need to configure the SDEE Collection Service from "Overview\System Configuration\Services\Device Services\Manage SDEE Collection Service". When adding a device just give the IP address of the IPS, a user name for enVision to use to connect, password, and port of 443.

One thing to note, this will give you basic alert information but wont include the TriggerPacket details which are often times helpful in alert investigation. You can check if this is the case by opening the "Cisco Secure Ids.txt" file from the "\nic\csd\config\sdees\templates" directory and see if it contains "cid:triggerPacket". If the file doesn't contain that you can just rename the file to something like "Cisco Secure Ids.old" and then copy the "Cisco Secure Ids.txt" file from

"%_envision%\etc\devices\ciscoidsxml\sdee" to "\nic\csd\config\sdees\templates". Restart the Collector service and you should be good to go.

One final note, the trigger packet data comes over in base64 format so you will need to run that output through a base64 program or script of some sort.

How to configure syslog on the following IPS module ?

Saurabh Srivastava — Fri, 11 Jan 2013 03:36:22 GMT

Hi Jon,

Thanks for reply..This procedure is for CISCO IPS appliance viz 4240 etc. however i want to integrate ASA-IPS module(SSM module) with RSA envision and i had contacted RSA in this regards and as per them logs will come under ASA logs via syslog but fail to see the IPS logs..

Please suggest..

Regards,

Saurabh

How to configure syslog on the following IPS module ?

sawgupta — Fri, 11 Jan 2013 04:38:41 GMT

Does the RSA tool supports SDEE events.

If yes, then it should be pretty straightforward to pull the events.

https://supportforums.cisco.com/docs/DOC-12515

Regards,

Sawan Gupta

How to configure syslog on the following IPS module ?

Saurabh Srivastava — Fri, 11 Jan 2013 13:38:15 GMT

Thanks Sawan..i will try it out.

Regards,
Saurabh

How to configure syslog on the following IPS module ?

JonPBerbee — Fri, 11 Jan 2013 15:10:40 GMT

Hi Saurabh,

The enVision appliances we manage all pull the events from IPS modules in ASA's so the process will work for that as well, as long as you have given the IPS an IP address and have the management port cabled. We have enVision pulling logs via the process I explained from ASA-SSM-10 & ASA5515-IPS devices.

Jon.