Hello, I have an ASA 5510 with and AIP-SSM installed. The question is, will the IDM store the logs from the IPS module even when it is closed, or does it have to stay open? Also, if either one loses power, are the logs lost and will they start back automatically? If not, how can I make this happen for PCI compliance purposes?
Solved! Go to Solution.
You are correct, none of the Cisco IPS Sensors support Syslog for transmitting signature events.
The orginal poster of this thread asked about the event "logs" and I was trying to answer his question using his terminology.
If by "logs" you mean the signature events the IPS Sensor generates, then the answer is mostly yes.
The Sensor has a circular buffer for event storage. It will keep these event until they are overwritten.
How quickly they are overwritten is a factor of buffer size, event size, packet capture options, etc (there was a forum thread on this very topic you can search for)
If you are concerned about keeping event logs, you can install the free IME server and pull events from the sensor. If you are REALLY concerned about getting events logs you can stand up two IME servers (they will cost you some sensor overhead though) and keep them on your host, instead of your senor. Each sensor can support up to 5 devices (I think) pulling events.