Solved: How to Monitor a Cisco IDS 4215 (v6.0)?

paulv_ap_cisco · ‎09-09-2010

Hi,

I am new to this IDS and need an inexpensive or open source way to collect and store logs from this device. It seems the device can only store a day or two of its own logs and I need to collect 1 year. I have Red Hat linux machines at my disposal but can use Windows devices or other forms of Linux if necessary. It would be great if I could simply have this thing log to a file on a Linux server on the LAN. I can then setup scripts to watch and create reports from the logs.

I have installed the IDM on my Windows workstation and can connect to the IDS but don't see a way to collect logs, fire email alerts or create reports. Is there something Cisco makes available (without additional purchase) for this?

Thanks,

Paul

terrygwazdosky · ‎09-09-2010

For email alerts you can use IPS Manager Express http://www.cisco.com/en/US/products/ps9610/index.html I believe it will manage up to 10 IPS sensors.

View solution in original post

Scott Fringer · ‎09-10-2010

Paul;

To follow-up on Terry's comments; Cisco does provide a free (though not open-source) solution called IPS Manager Express. The current release 7.0.3 supports monitoring up to 10 Cisco IPS sensors (to include IOS IPS configured routers). IME stores collected IPS events in a local MySQL database (closed schema) and can be configured to store up to 1 million events per file, with a maximum of 400 files. Depending on event rate, this could last the one year you require. You can find out more and download IME at:

http://www.cisco.com/go/ime

Please be aware that IME includes the ability to monitor IPS events as well as perform configuration tasks on Cisco IPS sensors. The configuration capability of IME is limited to IPS sensors running release 6.1 and higher.

If you are interested in creating your own collection process on a Linux host, Cisco's IPS sensors support event retrieval using the Security Device Event Exchange (SDEE) protocol. SDEE is an industry standard protocol and there are several open-source libraries available for using in the creation of an event collection and storage solution.

Scott

View solution in original post

terrygwazdosky · ‎09-09-2010

For email alerts you can use IPS Manager Express http://www.cisco.com/en/US/products/ps9610/index.html I believe it will manage up to 10 IPS sensors.

Scott Fringer · ‎09-10-2010

Paul;

To follow-up on Terry's comments; Cisco does provide a free (though not open-source) solution called IPS Manager Express. The current release 7.0.3 supports monitoring up to 10 Cisco IPS sensors (to include IOS IPS configured routers). IME stores collected IPS events in a local MySQL database (closed schema) and can be configured to store up to 1 million events per file, with a maximum of 400 files. Depending on event rate, this could last the one year you require. You can find out more and download IME at:

http://www.cisco.com/go/ime

Please be aware that IME includes the ability to monitor IPS events as well as perform configuration tasks on Cisco IPS sensors. The configuration capability of IME is limited to IPS sensors running release 6.1 and higher.

If you are interested in creating your own collection process on a Linux host, Cisco's IPS sensors support event retrieval using the Security Device Event Exchange (SDEE) protocol. SDEE is an industry standard protocol and there are several open-source libraries available for using in the creation of an event collection and storage solution.

Scott

paulv_ap_cisco · ‎10-08-2010

I have done as you said and have downloaded the IME-IPS.

The IPS has limited support for my IDS but I can collect events, which is what I needed.

So, now I have a few more questions:

I need to backup the alert data so that if my machine dies I can restore.

1) I noticed the data archiving feature . . . what does this do exactly? If I set it to archive daily, is there some file somewhere I can backup without stopping the MySQL service? If yes what is the file and where is it? Can I change it to write this archive file to a network location? How? How would I restore it if necessary?

2) I know I could use the export feature periodically . . . that is manual. It is not really an option.

3) I suppose I could stop the MySQL service and backup the C:\Program Files\Cisco Systems\Cisco IPS Manager Express\MYSQL\data\alarmDB dir.

I was not able to find any documentation on this online.

Thanks in advance for your help.

Paul

Scott Fringer · ‎10-11-2010

Paul;

The data archiving facility within IME allows you to control the number of events stored in a database file, along with the total number of these database files to keep. This will help with both performance and file system space management. The files remain in the \Program Files\Cisco Systems\Cisco IPS Manager Express\MYSQL\data\alarmDB directory. To maintain data integrity in the event of a system failure will require a system level backup policy be designed; this is not something that Cisco provides.

Scott

paulv_ap_cisco · ‎10-11-2010

Thanks for that explaination of the archive feature. That was helpful.

Regarding a backup of the alert logs: you indicated a system level backup. I would assume that to mean system state, the IME application installation inlcuding the alarm directory with the mysql service stopped.

Is that what is required, or would it suffice to only backup the MySQL installation with the MySQL service stopped and keep a copy of the original application download?

Thanks again for your help.

Scott Fringer · ‎10-12-2010

Paul;

I have not done any disaster recovery testing, but would think that an initial, full backup of the system running IME followed by incremental backups run at an interval that meets your needs should suffice.

Scott