Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1662
Views
0
Helpful
4
Replies

cisco ips logging options (SDEE, IME, Archiving)

Ralphy006
Level 1
Level 1

‎09-19-2014 02:34 PM - edited ‎03-10-2019 06:14 AM

Based on the following post, cisco IPS' can send basic syslog messages: https://supportforums.cisco.com/discussion/12180461/cisco-asa-5585-syslog-options-ips

Does anyone know which messages are sent via syslog?

Also, I understand the Cisco IME can be used to retrieve SDEE logs. I understand it can archive files. I need to make sure the logs are archived, and kept for at least a year. My concern for Cisco IME is that I won't know if the IME application fails or not. I believe it needs to be running in order for it to retrieve the SDEE logs.

Also, if the max number of archived files ever hits, is it possible to move old files to another folder? And then move those files back when they need to be viewed in the IME?

I am also hitting a deadend when it comes to finding alternatives for logging SDEE events. Splunk used to have a tool that could do this. But it is now deprecated. Anyone aware of any good SDEE retrival tools?

Any suggestions are appreciated

Labels:
0 Helpful
4 Replies 4

Seth Bjorn
Level 1
Level 1

‎09-23-2014 09:14 AM

I'm using Log Rhythm via SDEE to retreive and store all the IPS events and it works great. Pretty easy to integrate and setup alerts and such.

I would imagine Splunk still supports it, probably just has to be done another way or something. I can't imagine how big an install base Splunk has and not support SDEE any more.

0 Helpful

Ralphy006
Level 1
Level 1
In response to Seth Bjorn

‎09-23-2014 09:22 AM

Thanks Seth. Have you ever tried just using the Cisco IME?
 

0 Helpful

Seth Bjorn
Level 1
Level 1
In response to Ralphy006

‎09-23-2014 09:33 AM

Sorry but I haven't ever used IME for logging purposes. We have compliance requirements that have set timelines for archives and whatnot, so it's easier to manage it with our other logs.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-23-2014 04:26 PM

There are very few IPS-related syslog messages generated -  primarily health of the overall sensor device or platform. Anything useful as far as actual IPS intrusion events, attempts etc. will only be available on the legacy Cisco IPS platforms via SDEE.

Cisco IME (free, limited number of managed devices, runs on a PC without any real archiving etc.) is the least cost option to retrieve and display the events.

Stepping up in the Cisco offerings would be to use Cisco Security Manager. It does archiving, hierarchical storage etc. However it's days are numbered as Cisco revamps both  the IPS and traditional ASA features to account for both their development of CX-related products (including IPS) and the SourceFire product line. I don't now that I'd recommend CSM for a new buy.

If you have existing Cisco IPS and really need to archive the SDEE-retrieved events, then you could use LogRhythm or such as noted in the earlier reply.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card