01-02-2014 01:44 AM - edited 03-10-2019 06:07 AM
Hi Folks,
Happy new year!
I'm trying to interface my IPS Event with an external log analyzer.
This exercise (Log Management) has become vital as my SLA required IPS Event (particularly those with risk rating above 85) be documented and reported <90mins on a day-to-day basis.
Anyone with ideas?
Regards,
Daniel
01-02-2014 09:49 AM
Daniel -
Your two most common options for getting event data off your sensors are:
1. Get/build/buy a SIEM that will pull the evetns via the SDEE protocol.
2. Edit the action of the signatures in question (>85% RR) to generate an SNMP trap for the event.
For real analysis you will also want to grab a PCAP of both sides of the attack (so you can tell if it was sucessful or a false positive).
- Bob
01-02-2014 11:27 PM
Thanks Rhermes, nice one.
On your response, I have tried pulling events using Splunk- seems to be getting errors integrating splunk with the sensor; is there a way around this, or are there other SIEM (preferably open source) one can use to pull events via SDEE?
Regards.
01-03-2014 09:43 AM
I don't have any experience with Splunk and Cisco IPS, but there is a Wiki for it, so I assume other people have it working: http://wiki.splunk.com/Set_up_Splunk_for_Cisco_IPS
I would imagine all commercial SEM vendors should support Cisco's implementation of SDEE, I have experience with Trustwave (formerly Intelitactics) and Arcsight.
How many sensors are you attempting to monitor? The free Cisco IME can pull events from up to 5 sensors.
- Bob
02-19-2014 10:07 AM
Hi rhermes,
I have since gotten Cisco IME 7.2.1. It pretty great working with this interface. Thanks!
Daniel.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide