cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
14861
Views
15
Helpful
12
Replies

Event retrieval

Leeyoungsoo
Level 1
Level 1

Dear Experts!

We have a AIP-SSM-10 on ASA 5540

and it is display critical seosor health

status that is not event retrieval.

I did find cisco web page but I did not find any document.

How Can I fix this problem? and Where can I find related document?

Thans in advance!

12 Replies 12

andrey.dugin
Level 1
Level 1

Check your interfaces status on module. May be inline or promiscuous interfaces are down.

Thanks for your advise but interface

status are normal.

I`m gonna attache capture image.

Thanks

What version of software are you running, with 7.0 you now have the capability of using event correlation. It looks to me like you haven't configured it and therefore events have not been downloaded/retrieved.

marcabal
Cisco Employee
Cisco Employee

Here is the basic explanation from the IDM User Guide:

Event Retrieval-Lets you set a threshold for when the last event was retrieved and whether this metric is applied to the overall sensor health rating.

Note The event retrieval metric keeps track of when the last event was retrieved by an external monitoring application such as IME. Disable Event Retrieval if you are not doing external event monitoring.

http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/idm/idm_sensor_management.html#wpxref98287

There are 3 primary methods by which events are monitored: Subscription, Query, and Traps

A Subscription is used by external Monitoring Tools. The typical Cisco tools for Monitoring are IME (Intrusion Prevention Manager Express) and CS MARS.

If you don't already own CS MARS, then IME is recommended. If you have a service contract for your sensor (which you need for upgrading signatures), then as part of that contract you can download and use IME at no extra cost.

IME maintains a Subscription with the sensor. Think of it similar to a magazine Subscription where you keep on getting next months magazine unless you cancel your subscription. IME sends an open message to the sensor to start the Subscription, and then just keeps asking for new data as part of that Subscription.

Other 3rd party tools are capable of using Subscriptions as well. If you are using a 3rd part management tool for monitoring then contact that company to see if their tool uses a Subscription.

This specific health statistic for event retrieval is to let you know if your subscriptions are up to date.

In your case it doesn't like you have any tool that has even started a subscription so your sensor health is red.

If you don't plan on using a Monitoring tool that does Subscriptions, then disable the Event Retrieval Statistic from your sensor health.

This way Event Retrieval is ignored by the sensor when determining the Health of the sensor.

The second method for monitoring events is through a Query.

Using the magazine example, a Query is more like walking down to the local store and buying the new magazines one at a time. You don't automatically get next months magazine sent to you.

The IDM (Intrusion Detection Device Manager) has Event Monitoring screens, but these screens do one time Queries. If you want more data from the sensor you have to hit a button and it will grab one more set of data from the sensor. But it has to specifically ask each time.

The "show event" command from the sensor CLI is ALSO treated as a Query.

Some 3rd part monitoring tools also have coded to pull events using a Query instead of a Subscription.

The Event Retrieval statistic does NOT track Queries. So if you use IDM, CLI, or a 3rd party tool using Queries; then it has no affect on the Event Retrieval status.

You either need to switch to using a tool like IME that does do Subscriptions, or disable Event Retrieval as a statistic for sensor health.

The 3rd method is to use SNMP Traps.

SNMP Traps are done over UDP and not guaranteed to arrive at the monitoring tool.

So similar to Queries, the sending of SNMP Traps does not affect the Event Retrieval status.

If you are using SNMP Traps for monitoring, then you can disable the Event Retrival as a statustic for sensor health.

Hope this has made more sense out of what you are seeing.

I really appriciate for your reply.

We already have CS MARS and 6 another AIP-SSM-10 on ASA but other IPS`s Sensor

health is normal status that include EVENT RETRIVE.

AM I have wrong setting on CS-MARS or another miss configuration

on IPS?

Thanks again

Regards

So the Critical status for Event Retrieval is doing exactly what it was designed for. It is letting you know that CS MARS hasn't pulled any events from the sensor since it was last rebooted.

Any number of things could be the problem. You will need to begin trying to determine why CS MARS is not pulling events.

Here are some suggestion to help get you started:

1) Check MARS configuration. Make sure MARS has had the sensor add to the list of devices it should connect to for pulling events. Make sure the username and password are correct.

2) Check MARS for any error messages. I don't know very much about MARS but I assume ther must be an Error log of some kind. It may be generating errors that could help explain why it may not be pulling events from the sensor.

3) Check the sensor configuration. Make sure that the MARS box's IP Address is included in the access-list of the sensor (otherwise MARS won't be able to connect). Login with the same username and password that was configured in MARS to ensure the password is properly set..

4) Check that alerts are being generated on the sensor. Execute "show event alert" on the CLI and watch it for some time to ensure that new alerts are being generated by the sensor. (If no alerts are being generated by the sensor, then there may be other sensor configuration problems that would need to be solved first.)

5) Check the statistics of the web server and sdee-server. Execute "show statistics web-server" several times over a few minutes and see if any web server connection are being made to the sensor from your MARS box (MARS pulls the events through a web-server connection). If no web-server connections are being made, then there may be connectivity issues.

If there are web-server connections being made, then run "show statistics sdee-server". If everything was working right there would be at least 1 subscription open for CS MARS. If you have 5 subscriptions open, then you might be running into a problem of too many open subscriptions. (if you do have 5 open subscriptions, then you may have to clear subscriptions for MARS to open a new one. The easiest way to do this is to reboot the sensor. There are, however, other methods as well. If you have this situation and don't want to reboot the sensor, then let me know and I can give you those other steps.)

6) Another common problem is with SSL certificates. The certificate may have expired (they expire every couple of years), or your sensor certificate may have changed recently. Try running "show version" on the sensor CLI. The more recent versions have a line at the bottom of the output to tell you when the certificate will expire. If your certificate has expired then you will need to create a new one using the "tls generate-key" command.

Any time a certificate is changed you will also have to tell MARS about the new sensor certificate.

If you use the "Test Connectivity" or "Discover" buttons in MARS it will prompt you to accept the new certificateif it has changed.

7) One other thing to check is just basic network connectivity. Is there any firewall or router with an access-list that may be preventing MARS from reaching the sensor?

Dear

I really appreciaate for your help.

Regards.

Hi

  I have the same issue.but we are using IME to monitor the IPS.Please help me to find out the problem.

Thanks

Hi,

Check if IME is able to poll for events.

Is the IP Address of machine; where IME is installed; present in the access-list of IPS ?

Regards,

Sawan Gupta

Thanks & Regards, Sawan Gupta

Hi Sawan

          IME is not able retreive the events.IME Ip is already in the access-list of IPS.

Thanks

Hi,

Are you able to see events in IPS directly, using "show events" CLI ? (Just to confirm if IPS is actually generating events).

Is IME showing any error as to why it is not polling events ?

Regards,

Sawan Gupta

Thanks & Regards, Sawan Gupta

Hi all,

I have a similar problem. The IPS isn´t connected to the IPS Manager anymore. This was working before. Status on IPS Manager is: not connected.

How should I proceed with the troubleshooting?

The IPS is working. 

Overall Health Status                                   Red           
Health Status for Failed Applications                   Green         
Health Status for Signature Updates                     Green         
Health Status for License Key Expiration                Yellow        
Health Status for Running in Bypass Mode                Green         
Health Status for Interfaces Being Down                 Green         
Health Status for the Inspection Load                   Green         
Health Status for the Time Since Last Event Retrieval   Red           
Health Status for the Number of Missed Packets          Green         
Health Status for the Memory Usage                      Not Enabled   
Health Status for Global Correlation                    Green         
Health Status for Network Participation                 Not Enabled 

 

The IPS Version is: 7.2(2)E4, Model: ASA5555-IPS

 

Review Cisco Networking for a $25 gift card