11-26-2002 05:45 PM - edited 03-09-2019 01:13 AM
We are wanting to save our logs to a MSSql db either directly from the ids machines or by export from cspm or idsmc....
I have searched through the archives and have tried -
http://www.cisco.com/univercd/cc/td/doc/product/ismg/policy/ver23i/idsguide/ch11.htm#xtocid121082
which teases but doesn't tell how.
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids5/csidscog/rdbms.htm#18460
vaguely refers to modifying the ids files to make a sql schema but doesn't say how.
Exporting from IDSMC is impossible since that db's password is unknowable and I think so is CSPM. Any suggestions? If there is a sql schema for use on the IDSs, please let me know.
11-27-2002 02:22 AM
I think IEV is working on MySQL.... but IEV is limited to 3 sensors. So if you are under this limit. Download IEV. It will create a MySQL db that you can attack by an other way.
Hope this help
11-27-2002 08:56 AM
Unfortunately, we have more than 3 sensors so that isn't an option.
11-28-2002 12:15 AM
I've got several questions:
1° How many devices are in production ?
2° Why do you need access on the Db ?
12-02-2002 01:32 PM
1 - several, more than 10
2 - to run our own reports using the data
12-03-2002 12:42 AM
Well several choices:
1) you use IDS-MDC. They have a Sybase DB. By configuring ODBC you should get access to the DB. Password should be asked to the TAC ?
2) you can use CSPM. You use 'CvtNrlog' that export the DB to a CSV file then you import it into you SQL db. This process can be automated trough scripting.
3) You use Unix Director (should be replaced by IDS-MDC on Unix ???). Read this: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids7/unix_cfg/dmp.htm
and also this
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids7/unix_cfg/rdbms.htm
Hope this help
12-03-2002 01:54 PM
thanks for the replies, everyone, i'm slowly getting somewhere on this.
a few comments:
1) cisco is loathe to give up the sybase password and it cannot be recovered so that is a dead end, though it would be the best solution since cspm is going away anhow.
2) i can't believe i havn't seen this yet, after all the searching i've done! it looks very promising.
3) we arn't using director
i had already started work on a perl script that would parse the logfiles and send them to mssql but i can do a very similar thing using cvtnrlog and an import daily. the problem with cvtnrlog is cspm isn't a supported product anymore and all future releases are going to be for ids-mc (which is a bear to work with so far). maybe i'll just stick to using the ftp'd logs since they are platform independent and its hard to justify keeping cspm AND ids-mc at the same time.
12-04-2002 12:25 AM
I'm still waiting for IDS monitoring center so i haven't tried this solution but look at this
As far as i understand this chapter.... the command IdsPruning is similar to cvtNrlog. The archive file is a CSV so again it can be imported inside a MySQL DB where you can run your own queries.
regards
11-28-2002 11:18 AM
Is it possible to run queries & form executive reports on this MySQL on IEV?
11-29-2002 12:31 AM
I'm not an SQL expert,
but once you have an access to the SQL database, you can run queries and create reports trough perl.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide