https://community.cisco.com/t5/network-security/aip-ssm-20-to-send-syslog-messages/m-p/1615496#M65581 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>You can find it in syslog from ASA.</P><P>It will look like this : %ASA-4-420003: IPS requested to reset TCP connection from</P><P></P><P>I suppose, this is enough.</P><P>But from IPS module - as TACman said...</P><P></P><P>HTH</P><P></P><P>Pavel</P></BODY></HTML> Fri, 25 Feb 2011 13:45:08 GMT Pavel Pokorny 2011-02-25T13:45:08Z https://community.cisco.com/t5/network-security/aip-ssm-20-to-send-syslog-messages/m-p/1615492#M65577 <P>Dear all,</P><P></P><P>I want to find out if there is any means of configuring my AIP-SSM-20 to generate and send a syslog message whenever it blocks a connection, drops a packet or find any anomaly traffic traversing through it from either the Internet or the Internal network. For audit reasons, my management wants to see this logs send to a syslog server. I have been trying to use IME( IPS Manager Express) to configure this but have not seen any option relating to Syslogs.</P><P></P><P>Please if there is a means, let me know and also give me instructions on how to do it.</P><P></P><P>I would be greatful for your assistance.</P><P></P><P>Kind Regards</P><P></P><P>Claude Fozao</P> Sun, 10 Mar 2019 12:16:39 GMT https://community.cisco.com/t5/network-security/aip-ssm-20-to-send-syslog-messages/m-p/1615492#M65577 claude.fozao 2019-03-10T12:16:39Z https://community.cisco.com/t5/network-security/aip-ssm-20-to-send-syslog-messages/m-p/1615493#M65578 <HTML><HEAD></HEAD><BODY><P>No, unfortunately the Cisco IPS events are in Cisco proprietary format, hence there is no option to actually send those events through syslog messages.</P></BODY></HTML> Thu, 24 Feb 2011 06:58:32 GMT https://community.cisco.com/t5/network-security/aip-ssm-20-to-send-syslog-messages/m-p/1615493#M65578 Jennifer Halim 2011-02-24T06:58:32Z https://community.cisco.com/t5/network-security/aip-ssm-20-to-send-syslog-messages/m-p/1615494#M65579 <HTML><HEAD></HEAD><BODY><P>Jennifer,</P><P></P><P>Thanks for your prompt response. In this case, is there a way to retrive all the past events from the event store. I believe that this events are saved in an event store which can be retrived and analysed.</P><P></P><P>Thanks again</P></BODY></HTML> Thu, 24 Feb 2011 07:30:24 GMT https://community.cisco.com/t5/network-security/aip-ssm-20-to-send-syslog-messages/m-p/1615494#M65579 claude.fozao 2011-02-24T07:30:24Z https://community.cisco.com/t5/network-security/aip-ssm-20-to-send-syslog-messages/m-p/1615495#M65580 <HTML><HEAD></HEAD><BODY><P>Syslog is UDP based. A packet if lost cannot be re-transmitted.</P><P>For event retrieval, not convenient. Does not achieve guaranteed data transfer.</P><P>Not the best option if all data has to be recorded for audit purposes.</P><P></P><P>Hence for IPS the event retrieval is done via SDEE protocol which is TCP based.</P><P>SDEE is not Cisco Proprietary.&nbsp; <SPAN id="search"></SPAN></P><P></P><P>Please check:</P><P><A class="jive-link-wiki-small" href="https://community.cisco.com/docs/DOC-12515">https://supportforums.cisco.com/docs/DOC-12515</A></P><P></P><P>The IPS events are stored in its own event store.</P><P>The capacity of this event store is limited and old events can get overwritten.</P><P>Hence IPS requires a device to retrieve events from its event store if you wish to store all the events.</P><P>IME can retrieve events from the IPS event store and store it locally.</P><P>IME installs a my-sql database on the machine.</P><P>You can store upto 400 archive files each containing max 1 million events.</P><P></P><P>Hope this helps.</P><P></P><P>Sid Chandrachud</P><P>TAC Security Solutions</P></BODY></HTML> Thu, 24 Feb 2011 07:46:21 GMT https://community.cisco.com/t5/network-security/aip-ssm-20-to-send-syslog-messages/m-p/1615495#M65580 Siddharth Chandrachud 2011-02-24T07:46:21Z https://community.cisco.com/t5/network-security/aip-ssm-20-to-send-syslog-messages/m-p/1615496#M65581 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>You can find it in syslog from ASA.</P><P>It will look like this : %ASA-4-420003: IPS requested to reset TCP connection from</P><P></P><P>I suppose, this is enough.</P><P>But from IPS module - as TACman said...</P><P></P><P>HTH</P><P></P><P>Pavel</P></BODY></HTML> Fri, 25 Feb 2011 13:45:08 GMT https://community.cisco.com/t5/network-security/aip-ssm-20-to-send-syslog-messages/m-p/1615496#M65581 Pavel Pokorny 2011-02-25T13:45:08Z https://community.cisco.com/t5/network-security/aip-ssm-20-to-send-syslog-messages/m-p/1615497#M65582 <HTML><HEAD></HEAD><BODY><P>Hi Pavel,</P><P></P><P>That worked for me. I decided to log message IDs 420002 and 420003.</P><P></P><P>Thanks</P></BODY></HTML> Sat, 26 Feb 2011 12:39:33 GMT https://community.cisco.com/t5/network-security/aip-ssm-20-to-send-syslog-messages/m-p/1615497#M65582 claude.fozao 2011-02-26T12:39:33Z https://community.cisco.com/t5/network-security/aip-ssm-20-to-send-syslog-messages/m-p/1615498#M65583 <HTML><HEAD></HEAD><BODY><P>Hi Claude,</P><P></P><P>Good to hear advice helped.</P><P></P><P>Please sign if problem solved for you.</P><P></P><P>BR</P><P></P><P>Pavel</P><H1></H1></BODY></HTML> Sat, 26 Feb 2011 18:17:39 GMT https://community.cisco.com/t5/network-security/aip-ssm-20-to-send-syslog-messages/m-p/1615498#M65583 Pavel Pokorny 2011-02-26T18:17:39Z https://community.cisco.com/t5/network-security/aip-ssm-20-to-send-syslog-messages/m-p/1615499#M65584 <HTML><HEAD></HEAD><BODY><P>Hi Sid Chandrachud,</P><P></P><P>Hence IPS requires a device to retrieve events from its event store if you wish to store all the events.</P><P>May I know what device is needed to archive all the events? </P><P>Can it be a normal linux or windows server to store the SDEE events? if possbile how to configure the IPS to send events to external servers?</P><P></P><P>Regards</P><P>Ryan</P></BODY></HTML> Wed, 11 Jan 2012 14:11:53 GMT https://community.cisco.com/t5/network-security/aip-ssm-20-to-send-syslog-messages/m-p/1615499#M65584 ryanhoibm 2012-01-11T14:11:53Z