Re: IEV 5.2

rjanakan · ‎10-02-2006

Hi,

I have an ASA 5510 with AIP-SSM-10 in my test environment. I have installed IEV 5.2 in one of the servers to analyze the log.

The IEV server is added to IPS acl and has a username and password with Administrator access.

I'm using default filter. However, I don't see any data in IEV. The event realtime graph reports data size as 0 KB and I don't see any data in real-time dashboard too.

Is there any specific configuration needs to be done at IPS or IEV to view the data?

I'd appreciate any insights on this.

Thx in advance.

Regards,

Janakan Rajendran

jwalker · ‎10-02-2006

Did you make sure you assigned the Backplane interface to the Virtual Sensor? Check by going to sensor via https, then make sure that in Configuration --> Analysis Engine --> Virtual Sensor that the Backplane is assigned to the virtual sensor. If it is not assigned, Click Edit and assign it....

If this helps, please rate!

Thanks.

rjanakan · ‎10-02-2006

Hi,

Yes, it is assigned to vs0. I have a syslog server running on the same machine and I am receiving syslog messages.

But IEV says all the messages (Informational, Low, Medium, High) as zero. IEV can see the IPS though. (red dot next to sensor name)and device status also reports as successful.

I think I'm missing something on the ASDM configuration. I walked through the help file on IEV but no luck yet.

Any more thoughts?

Thank you,

Janakan Rajendran

jwalker · ‎10-02-2006

Also, don't forget to make a policy to send all traffic to the SSM for review on the ASA.

Here is an example:

class-map global-class

match any

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect pptp

inspect icmp

class global-class

ips inline fail-open

!

service-policy global_policy global

rjanakan · ‎10-02-2006

Hi,

Thx for your responses. I'm comfortable with using GUI than CLI. Is there anyway I can do this with ASDM?

Thx again!

Regards,

Janakan Rajendran

rjanakan · ‎10-02-2006

Hi,

I just copied u'r config and applied to my ASA. So I think that part is done..Still nothing on IEV..

-Janakan Rajendran

jwalker · ‎10-02-2006

If you log into the sensor, and type sho events past 00:30. What does it say? I just want to be sure your sensor is not getting events... I want to eliminate that as a problem before troubleshooting the IEV.

rjanakan · ‎10-02-2006

Hi,

When I ran show events, I get the following for 1-2 pages:

evStatus: eventId=1146009156396483245 vendor=Cisco

originator:

hostId: CPRIPS

appName: login(pam_unix)

appInstanceId: 400

time: 2006/10/02 14:58:59 2006/10/02 09:58:59 GMT-05:00

syslogMessage:

description: session closed for user cisco

evStatus: eventId=1146009156396483246 vendor=Cisco

originator:

hostId: CPRIPS

appName: cidwebserver

appInstanceId: 280

time: 2006/10/02 15:00:32 2006/10/02 10:00:32 GMT-05:00

loginAction: action=loggedOut

description: User's session expired

userName: cisco

userAddress: port=3707 192.168.1.10

-Janakan Rajendran

jwalker · ‎10-02-2006

You may need to add your internal networks... Try this

1) https to your sensor and log in with your admin account

2) Go to Configuration --> Event Action Rules --> Event Variables

3) Add and IN variable and define all of your internal IP ranges

4) Add and OUT variable that includes everything else (kind of a pain)

rjanakan · ‎10-02-2006

Hi,

I did as you suggested as I'm dealing with only two subnets for testing. No luck in IEV.

What type of logging and setup needs to be enabled in ASDM to see the data in IEV?

Thx again!

-Janakan Rajendran

jwalker · ‎10-02-2006

What version of ASDM are you running?

jwalker · ‎10-02-2006

If you are running 5.21 (and perhaps earlier versions), use the following references..

Add service policy with this link..

http://www.cisco.com/en/US/products/ps6121/products_user_guide_chapter09186a00806a2f46.html#wp1090495

Add IPS inspections with this link...

http://www.cisco.com/en/US/products/ps6121/products_user_guide_chapter09186a00806a2f46.html#wp1050542

rjanakan · ‎10-03-2006

Hi,

Well I have two global service policies which monitors all the services (any traffic) and has IPS inline.

However, I don't see anything under "Enabled" in ASDM. How do I enable these policies?

As I said earlier, I'm just trying to get at least information messages in IEV. Right now I do get them in kiwi syslogd running on the same machine as IEV.

Thx in advance!

rjanakan · ‎10-03-2006

Hi,

I attached the configuration from ASA and IPS. I'd appreciate if you could have a look at it.

Thanks!

-Janakan

jwalker · ‎10-03-2006

1) Delete ALL of the inspection policy mess you have first using ASDM...

2) Run the following commands in ASDM (using the multi line command line interface under Tools --> Command Line Interface. The indented commands are subcommands so the outdented command must be run first. I actually would do them in groups.

class-map global-class

match any

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect pptp

inspect icmp

class global-class

ips inline fail-open

service-policy global_policy global

3) And most important... RATE ALL POSTS.. I am giving you free consulting, so I feel it is only fair...

4) Good luck