cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
454
Views
0
Helpful
3
Replies

Remote Alarm Viewing

hendetl
Level 1
Level 1

Ciscoworks-VMS-Large enterprise-Remote 4235 sensors running 4.1. Is there any way to easily allow remote locations to VIEW alarms on their individual sensors? If not, is this feature in the future?

3 Replies 3

a.arndt
Level 3
Level 3

Here's quick and dirty solution.

1) Install IEV on an appropriate workstation

2) Create a read-only account on the sensor where the data of interest resides

3) Configure IEV to use the account created in Step 1 in order to access the data

NOTE: you could do the same thing with VMS Basic, using SecMon in particular, but this particular solution is overkill IMHO.

ADDITIONAL NOTE: This will only work for IDS v4.1 (as requested by the author of the original query). This is not an option for IPS v5.0, as IEV is not supported...

I hope this helps,

Alex Arndt

Alex,

How would i view alarms in IPS 5.0, i have it installed and reading the documentation, but can not find any place where i can view alarms.

please advice, i am make sure that i grade this post.

FYI, I'm not running v5.0 yet, but the official Cisco statement is "Cisco solutions include the Cisco IPS Device Manager for single device management and event monitoring, and Cisco Works VPN/Security Management Solution (VMS) for multidevice, multievent-type correlation."1

Given my experience, this is the right answer. In fact, new Cisco sensors come with VMS Basic (5 device limit version of VMS) for free. It can be used to monitor any IPS/IDS events remotely.

If you just want to quickly look at the event logs, you can remotely login to the sensor use IDM (IPS/IDS Device Management) to look at the Event Store, though this is not the best method, since you cannot export or otherwise manipulate the alarms from this particular interface.

One other option that bears mentioning is using a SIMS (Security Information Management System), such as ArcSight, NetForensics or NSM. These tools have RDEP/SDEE clients that can connect to Cisco IPS/IDS sensors and collect the alarms. This is a good option if you have a lot of sensors to monitor and want to correlate their events against other data types (such as router or firewall logs). Unfortunately, SIMS can be a very expensive undertaking, so caveat emptor.

I hope this helps,

Alex Arndt

1 - http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_data_sheet0900aecd801e6a45.html

Review Cisco Networking for a $25 gift card