11-11-2002 01:38 PM - edited 03-09-2019 01:01 AM
I have seen alarms in the IDS event logs that have not been received by the IEV. There is no filter on the IEV.
Thanks in advance,
Maged
Solved! Go to Solution.
11-13-2002 09:38 AM
I think I may have an answer...
Perhaps it has something to do with the Information "Level" set for the alarm data to be passed to the host running IEV?
Under the "Configuration>Communications>Remote Hosts>Event Destinations" in IDM, edit the remote host and check the Information "Level" that is set.
There are four levels available: "Information", "Low", "Medium" and "High". These map to the Alarm Severity Levels: 1 and 2 are "Information"; 3 is "Low"; 4 is "Medium; and, 5 is High.
As I understand it, the IEV will only receive alarms that are equal to (or higher) the the "Level" set in IDM. In other words, if you're set-up to accept "Medium", then IEV will only see level 4 and 5 alarms. Since many alarms in the NSDB are level 3, it stands to reason that you'd see them in the IDM logs but, thanks to a Information "Level" setting of "Medium", you won't see them reflected in IEV.
Let me know if this solves your mystery.
Alex Arndt, GCIA
11-11-2002 01:54 PM
Have you added that sensor into IEV's device list? If so, please make sure the postoffice settings in IEV and sensor exactly match. Besides, three services: CSIDS DataFeed, Cisco IDS Event Viewer, and MySQL should be running. You can check that by opening Windows' Service Panel. If those services are not running, IEV won't be able to get alarms from sensor and store them into database.
Jie
11-11-2002 03:04 PM
I am getting alarms in the IEV, but not all that are in the IDM logs. Thanks,
11-13-2002 09:38 AM
I think I may have an answer...
Perhaps it has something to do with the Information "Level" set for the alarm data to be passed to the host running IEV?
Under the "Configuration>Communications>Remote Hosts>Event Destinations" in IDM, edit the remote host and check the Information "Level" that is set.
There are four levels available: "Information", "Low", "Medium" and "High". These map to the Alarm Severity Levels: 1 and 2 are "Information"; 3 is "Low"; 4 is "Medium; and, 5 is High.
As I understand it, the IEV will only receive alarms that are equal to (or higher) the the "Level" set in IDM. In other words, if you're set-up to accept "Medium", then IEV will only see level 4 and 5 alarms. Since many alarms in the NSDB are level 3, it stands to reason that you'd see them in the IDM logs but, thanks to a Information "Level" setting of "Medium", you won't see them reflected in IEV.
Let me know if this solves your mystery.
Alex Arndt, GCIA
11-15-2002 10:14 AM
Thanks that was the issue!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide