Good day all.
I have been asked to re-create some functionality that was lost after the customer upgraded from VMS to CSM but without CS-MARS or any other event monitor. The user had the system set to generate an email when an event was fired. It apparently was noisy in the begining but after tuning was not a bad solution. No one knows how it was originally set up but I can only assume it was the method described in the Cisco document at: http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps4077/products_configuration_example09186a00801fc770.shtml#fivesensor
Now, however, since the CSM does not recieve event data is it possible to recreate this 'notification' process?
The are using CSM 3.02 and the Sensors are still at 5.14. The Sensors will be updated to 5.17 later today. I will then either be upgrading the customer to the latest revisions and service packs for CSM or rolling them back to VMS depending on whether I can get the notifications to work with CSM.
NOTE: They are ordering a CS-MARS appliance with the belief that it will resolve the issue but as last word it will be several months at least before they could get it in. I am concerned that CS-MARS will NOT give them back this functionality. Can anyone confirm/deny?
Lastly - Since CSM does not include a Security Monitor like VMS did, and CS-MARS does not really recreate that sort of view or management of the events - what solution(s) are there to replicate the Security Monitor functionality? Is there? Is CS-MARS the new bully on the block?
Since customer is staying at a 5.1(x) version then you have 3 options:
1) downgrade to VMS and continue using Security Monitor
2) Stay with CSM and purchase CS-MARS for the event monitoring. CS-MARS should provide email notification capability.
3) Stay with CSM and install and use IEV 5.2(1).
IEV 5.2(1) can either be installed on a separate machine from CSM as a standalone utility:
IEV 5.2(1) contains the new feature for email notification for alerts.
OR IEV 5.2(1) can be installed as part of the CSM installation (I know it is in CSM 3.1, but not sure about earlier CSM versions).
Here is some documentation on running IEV 5.2(1) within the CSM framework:
NOTE: IEV 5.2(1) is targeted for use in networks with 5 or less sensors. When running with 5 or more sensors then CS-MARS would be the recommened veiwer.
When the user later upgrades to version 6.x, then option 1 (downgrading to VMS) is no longer an option and either option 2 or 3 would be required.