https://community.cisco.com/t5/network-security/ips-event-query-help-needed-badly/m-p/918107#M85669 <HTML><HEAD></HEAD><BODY><P>The problem is that you are using the 5.x-style event-server and so you do not see all of the event fields. You need to change the app to pull from the "sdee-server" and then you will see all of the event fields:</P><P></P><P><A class="jive-link-custom" href="http://a.b.c.d/cgi-bin/sdee-server?events=evAlert" target="_blank">http://a.b.c.d/cgi-bin/sdee-server?events=evAlert</A> </P></BODY></HTML> Mon, 24 Sep 2007 14:46:36 GMT jamesand 2007-09-24T14:46:36Z https://community.cisco.com/t5/network-security/ips-event-query-help-needed-badly/m-p/918106#M85661 <P>Greetings all. Apologies for the dramatic headline but I'm in a bit of a time crunch.</P><P></P><P>I have a 4215 running 6.0(3)E1. The device is inline. Below is an event which triggered,</P><P></P><P>========================</P><P>evIdsAlert: eventId=1184881408377311643 severity=low vendor=Cisco </P><P> originator: </P><P> hostId: xyz</P><P> appName: sensorApp</P><P> appInstanceId: 380</P><P> time: 2007/09/24 15:11:25 2007/09/24 15:11:25 UTC</P><P> signature: description=Recognized content type id=12673 version=S149 </P><P> subsigId: 0</P><P> sigDetails: Recognized content type</P><P> marsCategory: Info/Misc</P><P> interfaceGroup: vs0</P><P> vlan: 0</P><P> participants: </P><P> attacker: </P><P> addr: locality=any a.a.a.a</P><P> port: 80</P><P> target: </P><P> addr: locality=any b.b.b.b</P><P> port: 51095</P><P> os: idSource=unknown relevance=relevant type=unknown </P><P> actions: </P><P> deniedFlow: true</P><P> context:</P><P>fromAttacker: &lt;stuff&gt;</P><P> riskRatingValue: attackRelevanceRating=relevant targetValueRating=medium 50</P><P> threatRatingValue: 15</P><P> interface: fe2_1</P><P> protocol: tcp</P><P></P><P>========================</P><P></P><P>I have an external application which pull this same event from the sensor using a query *like* the following,</P><P></P><P>wget --user foo --password hoo <A class="jive-link-custom" href="http://a.b.c.d/cgi-bin/event-server?events=evAlert" target="_blank">http://a.b.c.d/cgi-bin/event-server?events=evAlert</A></P><P></P><P>I'm able to pull most of the event information but not all. What I can't seem to get from query is the " deniedFlow: true" value. I'm seeing something like,</P><P></P><P>&gt;&lt;/attack&gt;&lt;/participants&gt;&lt;actions&gt;&lt;/actions&gt;&lt;/evAlert&gt;</P><P></P><P>Notice the "deniedFlow: true" information missing between action.</P><P></P><P>Is my wget-ish query missing some arguments which is preventing me from pulling all the same information I can see from the CLI?</P><P></P><P>Thanks in advance.</P> Sun, 10 Mar 2019 10:48:28 GMT https://community.cisco.com/t5/network-security/ips-event-query-help-needed-badly/m-p/918106#M85661 gdntsoc 2019-03-10T10:48:28Z https://community.cisco.com/t5/network-security/ips-event-query-help-needed-badly/m-p/918107#M85669 <HTML><HEAD></HEAD><BODY><P>The problem is that you are using the 5.x-style event-server and so you do not see all of the event fields. You need to change the app to pull from the "sdee-server" and then you will see all of the event fields:</P><P></P><P><A class="jive-link-custom" href="http://a.b.c.d/cgi-bin/sdee-server?events=evAlert" target="_blank">http://a.b.c.d/cgi-bin/sdee-server?events=evAlert</A> </P></BODY></HTML> Mon, 24 Sep 2007 14:46:36 GMT https://community.cisco.com/t5/network-security/ips-event-query-help-needed-badly/m-p/918107#M85669 jamesand 2007-09-24T14:46:36Z https://community.cisco.com/t5/network-security/ips-event-query-help-needed-badly/m-p/918108#M85671 <HTML><HEAD></HEAD><BODY><P>That solved it. Thank you very much, James. I appreciate it.</P></BODY></HTML> Mon, 24 Sep 2007 14:55:28 GMT https://community.cisco.com/t5/network-security/ips-event-query-help-needed-badly/m-p/918108#M85671 gdntsoc 2007-09-24T14:55:28Z