Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
359
Views
0
Helpful
2
Replies

IDS 4215 Sensor No IPLogs

Go to solution
markb
Level 1
Level 1

‎10-14-2003 12:23 PM - edited ‎03-09-2019 05:09 AM

Can anyone please enlighten me?

I have configured a 4215 Sensor running the latest version 4 software & signatures.

I have configure the sensor to use a Pix to facilitate shunning, the configuration has been running for over a week and I have selected certain signatures to block on and this works and I can see hosts in the block list.

My problem is that under <monitoring> <IPLogs> there are no log files listed,

Is this correct ?

In version 3 on a 4210 sensor there are numerous log files listed, these were downloadable to my local machine, where upon I could import them to IDS event viewer and view all the events taken place, is this no longer how it is done in version 4 ?

What I can do under <monitoring> <events> is see a list of events that have taken place displayed through the IDM web page.

Any assistance would be greatly appreciated.

Regards

Mark

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
marcabal
Cisco Employee
Cisco Employee

‎10-14-2003 02:36 PM

First I think that there is some confusion between IP Logs and the logs for alarms.

In version 3.x there were 2 types of log files.

The traditional log file that contained the alarms in a comma delimited format that could be imported into IEV.

The second was an IP Log which was a log of the actual binary packets that were seen after the signature fired.

The "log" action on the signature would cause the creation of an IP Log file and had nothing to do with whether or not the alarm was logged into the comma delimited log file.

The logging of alarms into the comma delimited log file was controlled by whether or not loggerd was enabled on the sensor and if loggerd was setup as a destination for alarms in the destinations file.

In version 3.x you could download individual log files to your own PC and open them in IEV or load them into your own database.

In version 4.x there is no longer the concept of individual files for alarms and IP Log data on the sensor.

The alarm logs have been replaced with a circular buffer known as eventStore. It can be compared to a large circular database. The eventStore is 4 Gigs in size and when full will begin overwriting the oldest alarms with the newest alarms.

The IP Log files have been replaced with a similar circular storage for IP Log data.

The alarm data in version 4.x can not be ftp'd off the sensor as an alarm log.

Instead you have a couple of options:

1) Use IDM to query the eventstore and pull out alarms that match certain criteria. You can then view the alarms in a plain text format.

2) Use the CLI "show events" command to do the same thing IDM can do.

3) Contact Cisco TAC and ask for the RDEP specification which provides the syntax for you to create your own queries to connect to the sensor and pull the alarms in a raw XML format that you can then load into your own database.

4) If you are an IEV user then the 4.x IEV has the ability to pull older alarms from the sensor.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/idmiev/swchap6.htm#604023

In the device properties simply put in older start time and IEV will automatically pull in these old events from the sensor.

NOTE: There is not an import feature that can import the plain text or XML events that you woudl see from options 1,2,or 3 above. SO if you want to see them in IEV then use option 4.

Now for iplogs they can be ftp'd off the sensor using the copy command. But iplogs are the binary packet data and not a listing of alarms. They are only created when the "log" action is selected.

NOTE: IP Logging consumes sensor resources and can slow sensor performance. It is not necessary to IP Log an alarm to see the alarm itself in IEV or other management stations. So the "log" action should only rarely be used when the binary packet data is needed.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
marcabal
Cisco Employee
Cisco Employee

‎10-14-2003 02:36 PM

First I think that there is some confusion between IP Logs and the logs for alarms.

In version 3.x there were 2 types of log files.

The traditional log file that contained the alarms in a comma delimited format that could be imported into IEV.

The second was an IP Log which was a log of the actual binary packets that were seen after the signature fired.

The "log" action on the signature would cause the creation of an IP Log file and had nothing to do with whether or not the alarm was logged into the comma delimited log file.

The logging of alarms into the comma delimited log file was controlled by whether or not loggerd was enabled on the sensor and if loggerd was setup as a destination for alarms in the destinations file.

In version 3.x you could download individual log files to your own PC and open them in IEV or load them into your own database.

In version 4.x there is no longer the concept of individual files for alarms and IP Log data on the sensor.

The alarm logs have been replaced with a circular buffer known as eventStore. It can be compared to a large circular database. The eventStore is 4 Gigs in size and when full will begin overwriting the oldest alarms with the newest alarms.

The IP Log files have been replaced with a similar circular storage for IP Log data.

The alarm data in version 4.x can not be ftp'd off the sensor as an alarm log.

Instead you have a couple of options:

1) Use IDM to query the eventstore and pull out alarms that match certain criteria. You can then view the alarms in a plain text format.

2) Use the CLI "show events" command to do the same thing IDM can do.

3) Contact Cisco TAC and ask for the RDEP specification which provides the syntax for you to create your own queries to connect to the sensor and pull the alarms in a raw XML format that you can then load into your own database.

4) If you are an IEV user then the 4.x IEV has the ability to pull older alarms from the sensor.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/idmiev/swchap6.htm#604023

In the device properties simply put in older start time and IEV will automatically pull in these old events from the sensor.

NOTE: There is not an import feature that can import the plain text or XML events that you woudl see from options 1,2,or 3 above. SO if you want to see them in IEV then use option 4.

Now for iplogs they can be ftp'd off the sensor using the copy command. But iplogs are the binary packet data and not a listing of alarms. They are only created when the "log" action is selected.

NOTE: IP Logging consumes sensor resources and can slow sensor performance. It is not necessary to IP Log an alarm to see the alarm itself in IEV or other management stations. So the "log" action should only rarely be used when the binary packet data is needed.

0 Helpful

Go to solution
markb
Level 1
Level 1
In response to marcabal

‎10-16-2003 11:41 AM

Thanks for the help.

The info was very useful.

mark

0 Helpful
Customers Also Viewed These Support Documents