No events logged while VMS offline

jkampmeyer · ‎01-19-2005

IDS and VMS are working fine, the issue is when my Windows box running VMS goes offline(crash, reboot....). I bring the VMS box back online and poll the IDS, but it reports no events.

I tested it by running Nessus while the VMS box is offline, from the CLI I see events, but when the VMS box comes online and polls the IDS....Nothing...

Do I need to setup the IDS to store the events until the VMS box can poll again?

Thanks,

Jamey

nkhawaja · ‎01-19-2005

events should already ben stored on the IDS. All you have to do is while launching the event viewer from security monitor, you specify an earlier time/date. it will/should collect the logged events out of the sensor.

thanks

Nadeem

jkampmeyer · ‎01-19-2005

I have tried that with no luck. I have set it to the earliest date and still nothing.

Is there a way to see if the IDS is storing the events? From the CLI I try sh events and I get nothing. But if a do a sh events and start Nessus it show the current ones..

Any ideas??

Jamey

nkhawaja · ‎01-19-2005

Hi,

try "show event alert" on the sensor. type "show interface" and send the output.

show event alert will tell you if sensor is seeing alerts or not

you can type "show event alert past 23:00" to see past events

thanks

Nadeem

jkampmeyer · ‎01-20-2005

I did a "sh event alert past 23:00" and it does show the old alerts, however security monitor still does not show then. It only show alerts that happen while it is connected.

I cleared the alerts on the IDS. ran Nessus, then did "sh event alert past 23:00" and it did show the past events (from the nessus scan). I then turned on the VMS box. But security monitor does not show any events (it is set show earliest).

Any other thoughts?

Jamey