cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

4008
Views
0
Helpful
6
Replies

How to configure syslog on the following IPS module ?

Hi All,

We have IPS modules (ASA-SSM-10) which is installed in Cisco ASA firewall (5520) and i want to integrated the module in RSA Envision log management server. Please confirm if these can be integrated in Envision and how? I am able to recieve Cisco ASA logs by enabling loggin on the box. I need to send logs from this sensor.

Below are the module details--

Platform: ASA-SSM-10
Build Version: 7.0(4)E4

Os Version: 2.4.30-IDS-smp-bigphys
Can anybody advise me on this

Regards,

Saurabh Srivastava

Regards, Saurabh
2 ACCEPTED SOLUTIONS

Accepted Solutions

Does the RSA tool supports SDEE events.

If yes, then it should be pretty straightforward to pull the events.

https://supportforums.cisco.com/docs/DOC-12515

Regards,

Sawan Gupta

Thanks & Regards, Sawan Gupta

View solution in original post

Hi Saurabh,

The enVision appliances we manage all pull the events from IPS modules in ASA's so the process will work for that as well, as long as you have given the IPS an IP address and have the management port cabled.  We have enVision pulling logs via the process I explained from ASA-SSM-10 & ASA5515-IPS devices.

Jon.

View solution in original post

6 REPLIES 6
Rafael Mendes
Explorer

You can send the log messages to your SIEN using SNMP Traps.

See the DOC: http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cliguide7.html

JonPBerbee
Beginner

RSA enVision can be configured to pull these logs using the Cisco's SDEE protocol.

You need to allow the enVision server to connect to the IPS through an access-list entry in "service host\network-settings" on the CLI. 

From enVision you need to configure the SDEE Collection Service from "Overview\System Configuration\Services\Device Services\Manage SDEE Collection Service".  When adding a device just give the IP address of the IPS, a user name for enVision to use to connect, password, and port of 443.

One thing to note, this will give you basic alert information but wont include the TriggerPacket details which are often times helpful in alert investigation.  You can check if this is the case by opening the "Cisco Secure Ids.txt" file from the "\nic\csd\config\sdees\templates" directory and see if it contains "cid:triggerPacket".  If the file doesn't contain that you can just rename the file to something like "Cisco Secure Ids.old" and then copy the "Cisco Secure Ids.txt" file from

"%_envision%\etc\devices\ciscoidsxml\sdee" to "\nic\csd\config\sdees\templates".  Restart the Collector service and you should be good to go.

One final note, the trigger packet data comes over in base64 format so you will need to run that output through a base64 program or script of some sort.

Hi Jon,

Thanks for reply..This procedure is for CISCO IPS appliance viz 4240 etc. however i want to integrate ASA-IPS module(SSM module) with RSA envision and i had contacted RSA in this regards and as per them logs will come under ASA logs via syslog but fail to see the IPS logs..

Please suggest..

Regards,

Saurabh 

Regards, Saurabh

Does the RSA tool supports SDEE events.

If yes, then it should be pretty straightforward to pull the events.

https://supportforums.cisco.com/docs/DOC-12515

Regards,

Sawan Gupta

Thanks & Regards, Sawan Gupta

View solution in original post

Thanks Sawan..i will try it out.

Regards,
Saurabh

Regards, Saurabh

Hi Saurabh,

The enVision appliances we manage all pull the events from IPS modules in ASA's so the process will work for that as well, as long as you have given the IPS an IP address and have the management port cabled.  We have enVision pulling logs via the process I explained from ASA-SSM-10 & ASA5515-IPS devices.

Jon.

View solution in original post

Content for Community-Ad