Re: How I can monitor and retrieve event log on IPS 5.0.

Pichet Piriyakitkosol · ‎03-09-2005

Hi all

Anyone know how I can monitor and retrieve event log on IPS 5.0. I tried to use IEV versoin 4.1 and upgrade signature to IEV-sig-4.1-1-S150 but cannot work.

mcvosi · ‎03-09-2005

CLI and SecMon is your only choice right now. I believe I read that Cisco will have IEV support for IPS 5 in the summertime.

pcrgm1119 · ‎03-11-2005

Security Monitor/IDS Monitor do not support the 5.0 IPS. I upgraded to 5.0 on a ISDM-2 mod, first I had a hard time getting a licences (They hadn't updated there Smartnet IDS contracts Db so that they covered IPS support) , and then I couldn't import the 5.0 sensor into Security Monitor as it (SM) doesn't support 5.0. Ultimately I went back to 4.1 and will wait for Cisco to get it's act togther.

marcabal · ‎03-09-2005

The version 5.0 sensors were designed to be able to send alerts in both the new 5.0 format and the old 4.1 format.

It is up to the requesting tool to decide in which format to request the events.

The older 4.1 monitoring tools were tested to validate that they could query 5.0 sensors to receive events in the older 4.1 format.

IEV 4.1 was validated to retreive events, so what you are seeing is likely a configuration error.

Recheck your configuration. You may also want to try and remove and re-add the sensor to IEV and ensure that IEV has the correct SSL certificate for the sensor.

NOTE: IEV 4.1 will receive events from a 5.0 sensor, but will likely not be able to do the other things like checking sensor statisics or send other requests to the sensor.

Pichet Piriyakitkosol · ‎03-10-2005

Thank you marcabal

U say right IEV version 4.1 it worked done with IPS 5.0. I misunderstand something.

Thank you.

nickbruno · ‎03-16-2005

Does anyone know if we have to upgrade to IPS 5.0 now and manage it manually until the support for IDSMC 2.1 and SecMon 2.1 is available or will there be an upgrade from IDS 4.1 to IPS 5.0 once that management software is available?

marcabal · ‎03-17-2005

You do not have to upgrade to IPS 5.0 right now.

You can continue to use version 4.1 with IDS MC 2.1, and continue loading new signature updates on your version 4.1 sensor.

Then sometime in the future can upgrade to version 5.0 with the same IPS-K9-maj-5.0-1-S149.rpm.pkg file.

Some of the confusion has been the S149 in the filename. Users have been concerned that if they upgrade their 4.1 sensors past S149 that then they could not use the 5.0 majory upgrade file anymore.

This is not the case. The IPS-K9-maj-5.0-1-S149.rpm.pkg file can be installed on any version 4.1 sensor even if the version 4.1 sensor has a signature level higher than S149.

(With the exception of S150 because we had a bug in that version).

Beginning with S151 the version 4.1 signature update now contains the corresponding Signature update for the 5.0 sensor. These 5.0 sig update files are stored off in an unused directory in the 4.1 sensor.

When the 5.0 file is installed it checks the 4.1 signature update level. If the 4.1 sensor is higher than S149 it will check that directory to see if there are 5.0 signature update files there, and automatically pull them across to the new 5.0 sensor.

This means you can continue upgrading your 4.1 sensor up until no more 4.1 signature updates are created (signature updates for 4.1 will still be created for at least 6 months, and I think maybe even up to another year).

Let's say you happen to upgrade your 4.1 sensor all the way up to 4.1(4)S180 some time this summer when the new IDS MC version is released.

At that time you can load the IPS-K9-maj-5.0-1-S149.rpm.pkg file.

When the upgrade completes your sensor version will be at 5.0(1)S180 (not S149), and all of your modifications and tunings should carry forward into the new version 5.0 sensor.

Since this capability is already built into the current upgrade file there is no need to release a new file after the new IDS MC version is released.

You can wait and do the 5.0 upgrade whenever you feel you are ready.