https://community.cisco.com/t5/network-security/ips-4240-k9-idm-6-2-monitoring-events-issue/m-p/1913743#M55322 <HTML><HEAD></HEAD><BODY><P>For signatures firing a lot, you can use IPS CLI command "show stats virtual-sensor" </P><P>or</P><P>"show statistics virtual-sensor | be SigEvent count"</P><P></P><P>Regards,</P><P>Sawan Gupta</P></BODY></HTML> Thu, 10 May 2012 08:52:00 GMT sawgupta 2012-05-10T08:52:00Z https://community.cisco.com/t5/network-security/ips-4240-k9-idm-6-2-monitoring-events-issue/m-p/1913740#M55319 <P>hi, everyone</P><P></P><P>i've noticed one tangled fact on idm monitoring events dashboard. it doesn't show alerts, which i notice on main page home/netwrok security health sensor cyrcle. In the past 5 minutes sensor show for example 10 red alerts, but when i switch on event dashboard - there are nothing on this table.....</P><P>several days ago i saw some periodical alerts about<STRONG> 4003</STRONG> signature - nmap udp sweep. it was happening during week, and i think that quaintity of real tine alerts on sensor health cyrcle and on events table were the same.</P><P>only that i'm noticing now,<STRONG> 3041</STRONG> signature and some times<STRONG> errorMessage: - the event store wrapped around [IdsEventStore::writeEvent(), index = 19531]&nbsp; name=errWarning&nbsp; </STRONG></P><P>i've read about this error some notes,but don't understand what should i change for viewing real-time alerts and <STRONG>4003</STRONG> signature (when idm works correct, it was the main attack). practically all confoguration on default values. ips works in promiscious mode</P><P></P><P>thanks for any help and advices</P> Sun, 10 Mar 2019 12:40:05 GMT https://community.cisco.com/t5/network-security/ips-4240-k9-idm-6-2-monitoring-events-issue/m-p/1913740#M55319 Ruslan Mansurau 2019-03-10T12:40:05Z https://community.cisco.com/t5/network-security/ips-4240-k9-idm-6-2-monitoring-events-issue/m-p/1913741#M55320 <HTML><HEAD></HEAD><BODY><P>Regarding the message "<STRONG>errorMessage: - the event store wrapped around "</STRONG></P><P>Events are stored in a circular buffer. Once the buffer if full, we would simply overwrite the oldest event. If you are seeing multiple such messages, it means that the number of events is really high. You might want to set<STRONG> Alert Frequency &gt; Summary Mode </STRONG>for the signatures which are firing a lot.</P><P></P><P>Refer to the following link to configure Summary Mode:</P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_tech_note09186a0080838bcf.shtml#IDM">http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_tech_note09186a0080838bcf.shtml#IDM</A></P><P></P><P>Regards,</P><P>Sawan Gupta</P></BODY></HTML> Sun, 06 May 2012 11:05:00 GMT https://community.cisco.com/t5/network-security/ips-4240-k9-idm-6-2-monitoring-events-issue/m-p/1913741#M55320 sawgupta 2012-05-06T11:05:00Z https://community.cisco.com/t5/network-security/ips-4240-k9-idm-6-2-monitoring-events-issue/m-p/1913742#M55321 <HTML><HEAD></HEAD><BODY><P><SPAN __jive_emoticon_name="confused" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/tiny_mce3/plugins/jiveemoticons/images/spacer.gif"></SPAN> one more question - how can i reveal definite signatures which are firing a lot? because this message appears in all tables which I choose (show monitoring events dashboard - for example only high or only medium or only low notifications)</P><P></P><P>and could you give me pieces of&nbsp; advice for primary configuring ips (any books, notes, examples), please? i've explored several on cisco.com, but only what i've found is general opportunities of ips</P><P></P><P> p.s. for beginners in security)</P></BODY></HTML> Thu, 10 May 2012 06:31:34 GMT https://community.cisco.com/t5/network-security/ips-4240-k9-idm-6-2-monitoring-events-issue/m-p/1913742#M55321 Ruslan Mansurau 2012-05-10T06:31:34Z https://community.cisco.com/t5/network-security/ips-4240-k9-idm-6-2-monitoring-events-issue/m-p/1913743#M55322 <HTML><HEAD></HEAD><BODY><P>For signatures firing a lot, you can use IPS CLI command "show stats virtual-sensor" </P><P>or</P><P>"show statistics virtual-sensor | be SigEvent count"</P><P></P><P>Regards,</P><P>Sawan Gupta</P></BODY></HTML> Thu, 10 May 2012 08:52:00 GMT https://community.cisco.com/t5/network-security/ips-4240-k9-idm-6-2-monitoring-events-issue/m-p/1913743#M55322 sawgupta 2012-05-10T08:52:00Z https://community.cisco.com/t5/network-security/ips-4240-k9-idm-6-2-monitoring-events-issue/m-p/1913744#M55323 <HTML><HEAD></HEAD><BODY><P>thanks one more time</P><P></P><P>ok, i've found big quantity in some signature, but this signature hasn't changed for producing alerts (by default). so can it make this wrapping error? or i should find those signature which produces alerts to monitoring events dashboard and after that change state for appearing this alert from Fire all to Summarize as you said at the first answer?</P></BODY></HTML> Thu, 10 May 2012 11:40:50 GMT https://community.cisco.com/t5/network-security/ips-4240-k9-idm-6-2-monitoring-events-issue/m-p/1913744#M55323 Ruslan Mansurau 2012-05-10T11:40:50Z https://community.cisco.com/t5/network-security/ips-4240-k9-idm-6-2-monitoring-events-issue/m-p/1913745#M55324 <HTML><HEAD></HEAD><BODY><P>You can verify the events using command "show events"</P><P></P><P>- If it is a false positve, then you might want to report it to Cisco TAC.</P><P>- Or summarize the signature event.</P><P>- If the signature is not relevant then you may retire and disable it.</P><P></P><P>Regards,</P><P>Sawan Gupta</P></BODY></HTML> Thu, 10 May 2012 12:57:44 GMT https://community.cisco.com/t5/network-security/ips-4240-k9-idm-6-2-monitoring-events-issue/m-p/1913745#M55324 sawgupta 2012-05-10T12:57:44Z