Solved: Re: Monitor IPS with IEV?

tscislaw_2 · ‎07-27-2006

Got notified that we have to upgrade our IDS 4.1 to IPS 5.0.

We currently use Cisco IEV to monitor the IDS. Can we use IEV to monitor IPS or do we need something else?

Finding info on cisco.com is like a d@mn treasure hunt.

DFiore · ‎07-28-2006

Hello Tscislaw,

We went thru the same routine a few months back. Yes, you can still use IEV with IPS 5.1.x. Just go to the link http://www.cisco.com/kobayashi/sw-center/ciscosecure/ids/crypto/ --- which is the Cisco Secure Software Software Center (Downloads) page. Go the bottom and look for the Network IDS Management/Monitoring Software section. There you will find the IDS Event Viewer (IEV) for IPS v5.x.

This version works fine with the new IPS v5.1.x software. It even has a few enhancements like a "reports tab" next to the "views" and "filter" tabs in the bottom left corner of the IEV Console.

There are two things that are different. One, the help files are the same as v4.1. Cisco is working on updating them. Second, the fields in the export file. IEV 5.1 no longer breaks out the unix local date/time code to readable date and time columns. You need to be aware of this if you try to export the csv to Excel. Cisco TAC has a BugTrack number for this. A human readable date and time field will be added in IEV v5.2(6) according to them. This will help a lot in creating adhoc reports from the export file (as a lot of people did with v4.1).

Hope this answers your question.

DF

View solution in original post

DFiore · ‎07-28-2006

Hello Tscislaw,

We went thru the same routine a few months back. Yes, you can still use IEV with IPS 5.1.x. Just go to the link http://www.cisco.com/kobayashi/sw-center/ciscosecure/ids/crypto/ --- which is the Cisco Secure Software Software Center (Downloads) page. Go the bottom and look for the Network IDS Management/Monitoring Software section. There you will find the IDS Event Viewer (IEV) for IPS v5.x.

This version works fine with the new IPS v5.1.x software. It even has a few enhancements like a "reports tab" next to the "views" and "filter" tabs in the bottom left corner of the IEV Console.

There are two things that are different. One, the help files are the same as v4.1. Cisco is working on updating them. Second, the fields in the export file. IEV 5.1 no longer breaks out the unix local date/time code to readable date and time columns. You need to be aware of this if you try to export the csv to Excel. Cisco TAC has a BugTrack number for this. A human readable date and time field will be added in IEV v5.2(6) according to them. This will help a lot in creating adhoc reports from the export file (as a lot of people did with v4.1).

Hope this answers your question.

DF

tscislaw_2 · ‎07-28-2006

DF,

Thank you very much for the info!

marcabal · ‎07-28-2006

Something to also keep in mind.

The new IEV 5.1 will only support version 5.0, and 5.1 sensors.

It does not support the older version 4.x sensors.

Both IEV versions may not be installed on the same machine at the same time.

So you need to plan your migration accordingly.

DFiore · ‎07-28-2006

--- One more thing...

The signature database in IEV v5.1 is no longer stored locally. It's on-line at MySDN. This cuts out the old v4.1 process of having to install a new IEV database everytime a new sig came out.

With v5.1 once you have IEV installed you only need to download the sigs for the sensor. Just remember to check for IEV updates now and then on the Cisco site.

tscislaw_2 · ‎07-28-2006

>>...With v5.1 once you have IEV installed you only need to download the sigs for the sensor. Just remember to check for IEV updates now and then on the Cisco site....<<

That's good. One less thing to forget to do.

I get update notifications via email so looks like I'm good to go.

Thanks again for your help.

DFiore · ‎07-28-2006

Your very welcome! And thanks for the check-mark.

... One last thing - I get the email update notifications as well, but I also make it a habit to check the website every time I check IEV for events. There have been cases where the sig or the service pack is on the website hours before the notices are emailed.