https://community.cisco.com/t5/network-security/cisco-ips-4200-log-fields/m-p/997722#M79382 <P>Hi,</P><P></P><P>Could anyone please tell me where can I find the information regarding the Fields of the log for IPS 4200? In what sequence do they appear in log files and what does each field signify?</P><P></P><P>Basically, I need the layout of the log file for the IPS logs. e.g. a sample layout would be something like this:</P><P>[timestamp] , [signatureID] , [vendor] [signature desc], [attacker IP] , [victim IP] , [attack type] , [action ID] , [action desc]</P><P></P><P>Thanks.</P><P></P><P>Regards,</P><P>Pratik</P> Sun, 10 Mar 2019 11:12:15 GMT pratik.jadav 2019-03-10T11:12:15Z https://community.cisco.com/t5/network-security/cisco-ips-4200-log-fields/m-p/997722#M79382 <P>Hi,</P><P></P><P>Could anyone please tell me where can I find the information regarding the Fields of the log for IPS 4200? In what sequence do they appear in log files and what does each field signify?</P><P></P><P>Basically, I need the layout of the log file for the IPS logs. e.g. a sample layout would be something like this:</P><P>[timestamp] , [signatureID] , [vendor] [signature desc], [attacker IP] , [victim IP] , [attack type] , [action ID] , [action desc]</P><P></P><P>Thanks.</P><P></P><P>Regards,</P><P>Pratik</P> Sun, 10 Mar 2019 11:12:15 GMT https://community.cisco.com/t5/network-security/cisco-ips-4200-log-fields/m-p/997722#M79382 pratik.jadav 2019-03-10T11:12:15Z https://community.cisco.com/t5/network-security/cisco-ips-4200-log-fields/m-p/997723#M79383 <HTML><HEAD></HEAD><BODY><P>Pratik -</P><P></P><P>There are two ways of getting event messages out of a sensor. The standard is SDEE, which is just XML that you can look inside to see the tags on each field. They like to call it "self documenting". The second (and more difficult because it requires you to tune each active signature) is syslog.</P><P>Which log format are you looking for?</P><P></P><P> </P></BODY></HTML> Fri, 18 Jul 2008 15:09:49 GMT https://community.cisco.com/t5/network-security/cisco-ips-4200-log-fields/m-p/997723#M79383 rhermes 2008-07-18T15:09:49Z https://community.cisco.com/t5/network-security/cisco-ips-4200-log-fields/m-p/997724#M79384 <HTML><HEAD></HEAD><BODY><P>Thanks rhermes.</P><P></P><P>I am more interested in the fields that are there in the logs and not the actual format of the log. </P><P></P><P>I am trying to find out what information is available in the logs. e.g. attacker IP, victim IP, signatureID etc... </P><P>the format of the logs (SDEE/syslog) doesnt matter.</P><P></P><P>Total of how many fields are there for each log and what does each field mean.</P><P></P><P>I am really sorry if this sounds silly but I am new to the IPS stuff and couldnt get the info I wanted on the cisco site.</P><P></P><P>Please let me know if anyone could pls share this info with me. It would be really helpful to me.</P><P></P><P>Thanks.</P><P></P><P>Regards,</P><P>Pratik</P></BODY></HTML> Fri, 18 Jul 2008 15:48:04 GMT https://community.cisco.com/t5/network-security/cisco-ips-4200-log-fields/m-p/997724#M79384 pratik.jadav 2008-07-18T15:48:04Z https://community.cisco.com/t5/network-security/cisco-ips-4200-log-fields/m-p/997725#M79387 <HTML><HEAD></HEAD><BODY><P>Here's an example of an SDEE message. I believe this is from a version 5.x sensor (it could be version 4, I don't see Risk Rating). Each time a new major version of software is release, new features are added and (if reportable) they show up as new fields in the SDEE messages.</P><P></P><P>- <EVALERT eventid="1159163097352391996" severity="medium"></EVALERT></P><P>- <ORIGINATOR></ORIGINATOR></P><P> <HOSTID>testsensor4250XL</HOSTID> </P><P> <APPNAME>sensorApp</APPNAME> </P><P> <APPINSTANCEID>440</APPINSTANCEID> </P><P> </P><P> <ALERTVERSION>Sdee</ALERTVERSION> </P><P> <ORIGIPADDR>10.1.1.119</ORIGIPADDR> </P><P> <TIME offset="0" timezone="UTC">1180958240541285000</TIME> </P><P> <ALERTSENDER name="Sensor3">10.1.1.119</ALERTSENDER> </P><P> <SIGNATURE sigid="12009" signame="MarketScore Activity" version="S130" subsigid="0"></SIGNATURE> </P><P> <INTERFACEGROUP></INTERFACEGROUP> </P><P> <VLAN>0</VLAN> </P><P> <SUMMARY summarytype="" initialalert="0" final="false">1</SUMMARY> </P><P>- <CONTEXT></CONTEXT></P><P> <FROMVICTIM></FROMVICTIM> </P><P> <FROMATTACKER>R0VUIC9vc3Mvc3VydmV5LmFzcD7pdW1kYXlzPTUrMyBIVFRQ0=</FROMATTACKER> </P><P> </P><P>- <PARTICIPANTS></PARTICIPANTS></P><P>- <ATTACK totalattackers="1" totalvictims="1"></ATTACK></P><P>- <ATTACKER totalports="1" proxy="false"></ATTACKER></P><P> <ADDR locality="IN">11.1.1.2</ADDR> </P><P> <PORT>60556</PORT> </P><P> </P><P>- <VICTIM totalports="1"></VICTIM></P><P> <ADDR locality="OUT">61.1.1.76</ADDR> </P><P> <PORT>80</PORT> </P><P> </P><P> </P><P> </P><P> <ALERTDETAILS></ALERTDETAILS> </P><P> </P></BODY></HTML> Fri, 18 Jul 2008 21:25:17 GMT https://community.cisco.com/t5/network-security/cisco-ips-4200-log-fields/m-p/997725#M79387 rhermes 2008-07-18T21:25:17Z