The number of monitoring stations

k.lapczuk · ‎04-05-2005

Is there a limit of the event monitor stations to monitor one sensor (IDS 4.1, IDSM2). I wonder of the case where three or four stations with CW2000 Security Monitor software are gathering the alarms from one sensor.

IDS 4.1 is a RDEP pull model for monitoring events - after polling for new XML event file, are these events dissapearing from sensor or are available for the other CW2000 Security Monitors?

sachinraja · ‎04-06-2005

hello

these events are obviously present on the IDS hard disk.. they arent downloaded to the sec mons.. you can use other monitoring stations to view this file...

hope this helps.. all the best..

Raj

pcomeaux · ‎04-06-2005

The IDS 4.x devices have a circular buffer in which the events are stored on the IDS itself. Monitoring stations, as you mention, pull the events from the sensor. However, the sensor keeps the events and notes the subscriptions that monitoring stations have it is event store.

This way, multiple monitoring stations can have subscriptions to the same sensor. If you loose your monitoring station, you can always get the latest set of events back from the sensor due to the buffered events store.

Hope this helps,

peter

a.arndt · ‎04-07-2005

I'd like to add that, though I can't remember where I got the info (RDEP specs, I think), a Cisco IDS sensor can keep track of up to 16 unique subscriptions (at least under v4.1).

These can be any combination of RDEP listeners; IEV, VMS/IDSMC (SecMon), 3rd party clients, etc.

The obvious benefit here is that multiple tiers can simultaneously access the same monitoring data from the same resource.

I hope this helps,

Alex Arndt