https://community.cisco.com/t5/network-security/ips-event-store/m-p/1624913#M65566 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>Events generated are stored locally in the event store of the IPS.</P><P>This event store has limited storage so old events will get overwritten with new ones.</P><P></P><P>Hence we can actually retieve the events from the IPS usind TCP based SDEE protocol if one wishes to store all the events.</P><P><A class="jive-link-wiki-small" href="https://community.cisco.com/docs/DOC-12515">https://supportforums.cisco.com/docs/DOC-12515</A></P><P></P><P>This can be done using:</P><P></P><P>1. IPS Manager express (IME). Free download on cisco.com</P><P>2. MARS</P><P>3. External SDEE server.</P><P></P><P>What software are you using to veiw events ?</P><P></P><P>Just use IME to view the events from the IPS.</P><P>And IME can store events from the IPS locally on the harddrive of the machine on which its installed.</P><P>You can filter on simply viewing high sev events.</P><P></P><P></P><P>Sid Chandrachud</P><P>Cisco TAC&nbsp; - Security Team.</P></BODY></HTML> Fri, 25 Feb 2011 19:41:32 GMT Siddharth Chandrachud 2011-02-25T19:41:32Z https://community.cisco.com/t5/network-security/ips-event-store/m-p/1624912#M65565 <P>Hi,</P><P></P><P>We have an IPS 4240. We do not have any SNMP logging,but there are many Alterts of High siverity and we would like to know all that is of High sivereity. But when we query the event viewer, it shows only for the last 3 days. Does this mean the logs are getting over written.</P><P></P><P>&nbsp; section Cumulative number of each type of event<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Status events 78455<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Shun request events 0<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Error events, warning 447<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Error events, error 480<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Error events, fatal 0<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Alert events, informational 2137338<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Alert events, low 60847<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Alert events, medium 292<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Alert events, high 5199<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Alert events, threat rating 0-20 239092<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Alert events, threat rating 21-40 1898253<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Alert events, threat rating 41-60 64126<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Alert events, threat rating 61-80 1413<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Alert events, threat rating 81-100 792</P><P></P><P>Any way we can get information on all the 792 high siverity of events if they are not sent to any logging server.</P><P></P><P>What is the capacity of the event store. Can we enable event store that it stores only events of high siverity rather than all informationation events as well.</P><P></P><P>Rgds,</P><P></P><P>Tauseef</P> Sun, 10 Mar 2019 12:16:50 GMT https://community.cisco.com/t5/network-security/ips-event-store/m-p/1624912#M65565 tad.190804 2019-03-10T12:16:50Z https://community.cisco.com/t5/network-security/ips-event-store/m-p/1624913#M65566 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>Events generated are stored locally in the event store of the IPS.</P><P>This event store has limited storage so old events will get overwritten with new ones.</P><P></P><P>Hence we can actually retieve the events from the IPS usind TCP based SDEE protocol if one wishes to store all the events.</P><P><A class="jive-link-wiki-small" href="https://community.cisco.com/docs/DOC-12515">https://supportforums.cisco.com/docs/DOC-12515</A></P><P></P><P>This can be done using:</P><P></P><P>1. IPS Manager express (IME). Free download on cisco.com</P><P>2. MARS</P><P>3. External SDEE server.</P><P></P><P>What software are you using to veiw events ?</P><P></P><P>Just use IME to view the events from the IPS.</P><P>And IME can store events from the IPS locally on the harddrive of the machine on which its installed.</P><P>You can filter on simply viewing high sev events.</P><P></P><P></P><P>Sid Chandrachud</P><P>Cisco TAC&nbsp; - Security Team.</P></BODY></HTML> Fri, 25 Feb 2011 19:41:32 GMT https://community.cisco.com/t5/network-security/ips-event-store/m-p/1624913#M65566 Siddharth Chandrachud 2011-02-25T19:41:32Z