cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
374
Views
0
Helpful
4
Replies

Alarms showing up in IDM log but not in IEV

mguirguis
Level 1
Level 1

I have seen alarms in the IDS event logs that have not been received by the IEV. There is no filter on the IEV.

Thanks in advance,

Maged

1 Accepted Solution

Accepted Solutions

I think I may have an answer...

Perhaps it has something to do with the Information "Level" set for the alarm data to be passed to the host running IEV?

Under the "Configuration>Communications>Remote Hosts>Event Destinations" in IDM, edit the remote host and check the Information "Level" that is set.

There are four levels available: "Information", "Low", "Medium" and "High". These map to the Alarm Severity Levels: 1 and 2 are "Information"; 3 is "Low"; 4 is "Medium; and, 5 is High.

As I understand it, the IEV will only receive alarms that are equal to (or higher) the the "Level" set in IDM. In other words, if you're set-up to accept "Medium", then IEV will only see level 4 and 5 alarms. Since many alarms in the NSDB are level 3, it stands to reason that you'd see them in the IDM logs but, thanks to a Information "Level" setting of "Medium", you won't see them reflected in IEV.

Let me know if this solves your mystery.

Alex Arndt, GCIA

View solution in original post

4 Replies 4

jlin1
Level 1
Level 1

Have you added that sensor into IEV's device list? If so, please make sure the postoffice settings in IEV and sensor exactly match. Besides, three services: CSIDS DataFeed, Cisco IDS Event Viewer, and MySQL should be running. You can check that by opening Windows' Service Panel. If those services are not running, IEV won't be able to get alarms from sensor and store them into database.

Jie

I am getting alarms in the IEV, but not all that are in the IDM logs. Thanks,

I think I may have an answer...

Perhaps it has something to do with the Information "Level" set for the alarm data to be passed to the host running IEV?

Under the "Configuration>Communications>Remote Hosts>Event Destinations" in IDM, edit the remote host and check the Information "Level" that is set.

There are four levels available: "Information", "Low", "Medium" and "High". These map to the Alarm Severity Levels: 1 and 2 are "Information"; 3 is "Low"; 4 is "Medium; and, 5 is High.

As I understand it, the IEV will only receive alarms that are equal to (or higher) the the "Level" set in IDM. In other words, if you're set-up to accept "Medium", then IEV will only see level 4 and 5 alarms. Since many alarms in the NSDB are level 3, it stands to reason that you'd see them in the IDM logs but, thanks to a Information "Level" setting of "Medium", you won't see them reflected in IEV.

Let me know if this solves your mystery.

Alex Arndt, GCIA

mguirguis
Level 1
Level 1

Thanks that was the issue!