02-23-2011 10:50 PM - edited 03-10-2019 05:16 AM
Dear all,
I want to find out if there is any means of configuring my AIP-SSM-20 to generate and send a syslog message whenever it blocks a connection, drops a packet or find any anomaly traffic traversing through it from either the Internet or the Internal network. For audit reasons, my management wants to see this logs send to a syslog server. I have been trying to use IME( IPS Manager Express) to configure this but have not seen any option relating to Syslogs.
Please if there is a means, let me know and also give me instructions on how to do it.
I would be greatful for your assistance.
Kind Regards
Claude Fozao
02-23-2011 10:58 PM
No, unfortunately the Cisco IPS events are in Cisco proprietary format, hence there is no option to actually send those events through syslog messages.
02-23-2011 11:30 PM
Jennifer,
Thanks for your prompt response. In this case, is there a way to retrive all the past events from the event store. I believe that this events are saved in an event store which can be retrived and analysed.
Thanks again
02-23-2011 11:46 PM
Syslog is UDP based. A packet if lost cannot be re-transmitted.
For event retrieval, not convenient. Does not achieve guaranteed data transfer.
Not the best option if all data has to be recorded for audit purposes.
Hence for IPS the event retrieval is done via SDEE protocol which is TCP based.
SDEE is not Cisco Proprietary.
Please check:
https://supportforums.cisco.com/docs/DOC-12515
The IPS events are stored in its own event store.
The capacity of this event store is limited and old events can get overwritten.
Hence IPS requires a device to retrieve events from its event store if you wish to store all the events.
IME can retrieve events from the IPS event store and store it locally.
IME installs a my-sql database on the machine.
You can store upto 400 archive files each containing max 1 million events.
Hope this helps.
Sid Chandrachud
TAC Security Solutions
01-11-2012 06:11 AM
Hi Sid Chandrachud,
Hence IPS requires a device to retrieve events from its event store if you wish to store all the events.
May I know what device is needed to archive all the events?
Can it be a normal linux or windows server to store the SDEE events? if possbile how to configure the IPS to send events to external servers?
Regards
Ryan
02-25-2011 05:45 AM
Hi,
You can find it in syslog from ASA.
It will look like this : %ASA-4-420003: IPS requested to reset TCP connection from
I suppose, this is enough.
But from IPS module - as TACman said...
HTH
Pavel
02-26-2011 04:39 AM
Hi Pavel,
That worked for me. I decided to log message IDs 420002 and 420003.
Thanks
02-26-2011 10:17 AM
Hi Claude,
Good to hear advice helped.
Please sign if problem solved for you.
BR
Pavel
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide