Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
198
Views
0
Helpful
2
Replies

ids secmon 1.2.3 severity setting

darin.marais
Level 4
Level 4

‎06-16-2004 01:37 PM - edited ‎03-09-2019 07:46 AM

I have a question regarding specifically SecMon 1.2.3 but the question could be related to previous releases>

When adding/importing a sensor to the monitor you may elect the severity>

When this parameter is set to say LOW, Will it mean that;

1.Informational events are logged and not displayed at the console?

2.Informational events are not logged or displayed at the console?

Labels:
0 Helpful
2 Replies 2

gfullage
Cisco Employee
Cisco Employee

‎06-16-2004 08:22 PM

The sensor itself will always log ALL severity events locally into its 4Gig rotating log file.

Setting this parameter to Low on SecMon means that when SecMon queries the sensor to get the new alerts to download, only Low, Medium and High will be transferred, via RDEP, to the SecMon server and stored in the database there. Consequently, only these severity alerts will be seen in the Event Viewer within SecMon.

So to answer your question, it's number 1, but they're logged locally on the sensor only, they're not transferred to SecMon.

0 Helpful

darin.marais
Level 4
Level 4
In response to gfullage

‎06-16-2004 09:29 PM

If this parameter set to LOW and later on you decide that you would like to get the historical Informational events from the sensor, would it then just be a case of setting this parameter back to Informational and then opening the SecMon from the date you need to view the Informational events?

Is there a way to force the SecMon to go re-query the sensor and fetch all the events from the sensor?

0 Helpful
Customers Also Viewed These Support Documents