Viewing IPS Real Time Events From Multiple IPS Devices

Answered Question
Mar 8th, 2007
User Badges:
  • Silver, 250 points or more

What's the best strategy for viewing IPS real time events from multiple IPS devices now that VMS has been made EOL?


There was a nice single view of all IPS events from all IPS devices being managed in VMS and I was wondering where I can tell people to go to receive the same information about their networks. I don't see it in CSM and I don't think they'll find it in MARS. Please advise and correct me if I am wrong. Thanks!

Correct Answer by vitripat about 10 years 4 months ago

You can use IEV. This is a event viewer which has a real-time dashboard also. You can import multiple sensors into it and view the events real-time.


Link for IEV for 5.x versions:

http://www.cisco.com/cgi-bin/tablebuild.pl/ips-ev


Link for IEV for 4.x versions:

http://www.cisco.com/cgi-bin/tablebuild.pl/ids-ev


Regards,

Vibhor.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
pmccubbin Thu, 03/08/2007 - 11:04
User Badges:
  • Silver, 250 points or more

There is nothing in the Readme file about whether this product is limited to a maximum of 5 IPS devices.


If so, what do we do for larger deployments?

pmccubbin Thu, 03/08/2007 - 11:56
User Badges:
  • Silver, 250 points or more

Vibhor,


Thank you for responses.


Though what you suggest is a short term option because CiscoWorks VPN/Security Management Solution (VMS) is in maintenance mode with no further releases planned.


My customer liked the functionality of the IPS Manager in VMS for viewing Real Time Events. He now complains of the loss of data integrity by having to use MARS and having to trust its ability to correlate events. It's like being accustomed to working on routers via the CLI and being told henceforth you can only use the GUI.


Thanks again.



rhermes Thu, 03/08/2007 - 14:57
User Badges:
  • Gold, 750 points or more

VMS SecMon will continue to accept events from 5.x and current 6.0 sensors, but Cisco has not made any promises that it will continue to do so for the life of 6.x

Cisco has a history of bumping us off the management platform of choice to the next thing they wish us to use. cough..director..VMS-MC..cough

gdntsoc Mon, 03/12/2007 - 12:42
User Badges:

Greetings, Vibhor. Just to clarify,


Cisco Security Monitor (CSM) alone DOES NOT provide the ability to see real-time IPS events from multiple sources......but the MARS add-on DOES provide this capability?


Thank you.

scottyd Wed, 04/25/2007 - 13:40
User Badges:

Hi,

Is it popssible to use the IDS Event Viewer for 6.x sensors? I only see ver 5.x download of the event viewer.

Thanks

Scott

mhellman Thu, 04/26/2007 - 05:39
User Badges:
  • Blue, 1500 points or more

I tested v6 and the IEV a little bit and it appears to work fine.

bmcginty-ltk Thu, 04/26/2007 - 11:30
User Badges:

Yes, IPS Event Viewer (IEV) can be used with 6.x as well as 5.x sensors. Keep in mind that if you have upgraded to the new Cisco Security Manager (CSM) vers. 3.1, IEV is now integrated with that software. As a matter of fact, before you can install CSM 3.1, it will prompt you to un-install any previous versions of IEV before you can proceed.


If you are not using CSM 3.1, you should download/install IEV 5.2-1 for your 6.x sensor. Make sure you take a quick look at the read-me before you install.

mhellman Thu, 04/26/2007 - 11:48
User Badges:
  • Blue, 1500 points or more

So the 3.1 CSM has the event viewer built in? That is good news for those who were using VMS before and don't want to purchase CSMARS.

Nick Egloff Thu, 04/26/2007 - 08:31
User Badges:

MARS as well as a few other 3rd party products can correlate multiple IDS sensor information.


In order for the 3rd party products to be compatible, they have to be able to access the Cisco IDS via RDEP or SDEE; if you search, you should be able to find some of them that are out there fairly easily with Google or another search engine.

Actions

This Discussion