Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5540
Views
0
Helpful
7
Replies

AIP-SSM-20 to send Syslog messages

claude.fozao
Level 1
Level 1

‎02-23-2011 10:50 PM - edited ‎03-10-2019 05:16 AM

Dear all,

I want to find out if there is any means of configuring my AIP-SSM-20 to generate and send a syslog message whenever it blocks a connection, drops a packet or find any anomaly traffic traversing through it from either the Internet or the Internal network. For audit reasons, my management wants to see this logs send to a syslog server. I have been trying to use IME( IPS Manager Express) to configure this but have not seen any option relating to Syslogs.

Please if there is a means, let me know and also give me instructions on how to do it.

I would be greatful for your assistance.

Kind Regards

Claude Fozao

Labels:
0 Helpful
7 Replies 7

Jennifer Halim
Cisco Employee
Cisco Employee

‎02-23-2011 10:58 PM

No, unfortunately the Cisco IPS events are in Cisco proprietary format, hence there is no option to actually send those events through syslog messages.

0 Helpful

claude.fozao
Level 1
Level 1
In response to Jennifer Halim

‎02-23-2011 11:30 PM

Jennifer,

Thanks for your prompt response. In this case, is there a way to retrive all the past events from the event store. I believe that this events are saved in an event store which can be retrived and analysed.

Thanks again

0 Helpful

Siddharth Chandrachud
Cisco Employee
Cisco Employee
In response to claude.fozao

‎02-23-2011 11:46 PM

Syslog is UDP based. A packet if lost cannot be re-transmitted.

For event retrieval, not convenient. Does not achieve guaranteed data transfer.

Not the best option if all data has to be recorded for audit purposes.

Hence for IPS the event retrieval is done via SDEE protocol which is TCP based.

SDEE is not Cisco Proprietary. 

Please check:

https://supportforums.cisco.com/docs/DOC-12515

The IPS events are stored in its own event store.

The capacity of this event store is limited and old events can get overwritten.

Hence IPS requires a device to retrieve events from its event store if you wish to store all the events.

IME can retrieve events from the IPS event store and store it locally.

IME installs a my-sql database on the machine.

You can store upto 400 archive files each containing max 1 million events.

Hope this helps.

Sid Chandrachud

TAC Security Solutions

0 Helpful

ryanhoibm
Level 1
Level 1
In response to Siddharth Chandrachud

‎01-11-2012 06:11 AM

Hi Sid Chandrachud,

Hence IPS requires a device to retrieve events from its event store if you wish to store all the events.

May I know what device is needed to archive all the events?

Can it be a normal linux or windows server to store the SDEE events? if possbile how to configure the IPS to send events to external servers?

Regards

Ryan

0 Helpful

Pavel Pokorny
Level 1
Level 1

‎02-25-2011 05:45 AM

Hi,

You can find it in syslog from ASA.

It will look like this : %ASA-4-420003: IPS requested to reset TCP connection from

I suppose, this is enough.

But from IPS module - as TACman said...

HTH

Pavel

0 Helpful

claude.fozao
Level 1
Level 1
In response to Pavel Pokorny

‎02-26-2011 04:39 AM

Hi Pavel,

That worked for me. I decided to log message IDs 420002 and 420003.

Thanks

0 Helpful

Pavel Pokorny
Level 1
Level 1
In response to claude.fozao

‎02-26-2011 10:17 AM

Hi Claude,

Good to hear advice helped.

Please sign if problem solved for you.

BR

Pavel

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card