Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
864
Views
0
Helpful
1
Replies

IPS event store

tad.190804
Level 1
Level 1

‎02-24-2011 11:05 PM - edited ‎03-10-2019 05:16 AM

Hi,

We have an IPS 4240. We do not have any SNMP logging,but there are many Alterts of High siverity and we would like to know all that is of High sivereity. But when we query the event viewer, it shows only for the last 3 days. Does this mean the logs are getting over written.

  section Cumulative number of each type of event
        Status events 78455
        Shun request events 0
        Error events, warning 447
        Error events, error 480
        Error events, fatal 0
        Alert events, informational 2137338
        Alert events, low 60847
        Alert events, medium 292
        Alert events, high 5199
        Alert events, threat rating 0-20 239092
        Alert events, threat rating 21-40 1898253
        Alert events, threat rating 41-60 64126
        Alert events, threat rating 61-80 1413
        Alert events, threat rating 81-100 792

Any way we can get information on all the 792 high siverity of events if they are not sent to any logging server.

What is the capacity of the event store. Can we enable event store that it stores only events of high siverity rather than all informationation events as well.

Rgds,

Tauseef

Labels:
0 Helpful
1 Reply 1

Siddharth Chandrachud
Cisco Employee
Cisco Employee

‎02-25-2011 11:41 AM

Hello,

Events generated are stored locally in the event store of the IPS.

This event store has limited storage so old events will get overwritten with new ones.

Hence we can actually retieve the events from the IPS usind TCP based SDEE protocol if one wishes to store all the events.

https://supportforums.cisco.com/docs/DOC-12515

This can be done using:

1. IPS Manager express (IME). Free download on cisco.com

2. MARS

3. External SDEE server.

What software are you using to veiw events ?

Just use IME to view the events from the IPS.

And IME can store events from the IPS locally on the harddrive of the machine on which its installed.

You can filter on simply viewing high sev events.

Sid Chandrachud

Cisco TAC  - Security Team.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card