Unable to view events via IME

Unanswered Question
May 26th, 2008

Hi

I have recently installed Cisco IME so as to analyze the IPS Events .The issue is that the events are not coming on IME at all. When i see from the sensor itself (via "show events alert past 00:10 command ) there are huge no. of events coming on the console itself but not on IME . Earlier they use to come perfectly. Also there is no issue with the COMMUNICATION from IME Server to the Sensor (Telnet on 443 is happening )

Please help me out in this regard

Ankur

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.9 (8 ratings)
Loading.
Farrukh Haroon Mon, 05/26/2008 - 22:13

Ankur, can you please let us know you IPS platform and software version?

Regards

Farrukh

ankurs2008 Mon, 05/26/2008 - 23:20

There is no single IME which is giving issue , it is happening with our 2 /3 customers having IPS . Some of them are having

1) IPS - 4240 , Version 5.1(5)E1

2) ASA IPS 6.0(2)E1 ASA-SSM-10

Please help me in this regard

Farrukh Haroon Tue, 05/27/2008 - 05:07

In the Devices >> Device List >> Sensor Name

Under "Event Status", do you see "Connected" or "Not Connected"?

Did you try to right click on the Sensor(s) and do:

Starts >> Events Connection

Please note health monitoring and most other features are only supported for Version 6.1.x and not the versions you mentioned.

ankurs2008 Tue, 05/27/2008 - 07:05

Hi

I have verified and the status for all the IME is connected . The Start -> Event conenction is not highlighted and is blurred . Please tell me how to proceed

Ankur

Farrukh Haroon Wed, 05/28/2008 - 02:24

Btw, I faced a similar issue with Four IDSM-2 of one of our customers, they were not showing any events yesterday. Today I came and opened IME and the events started coming. I changed nothing for sure.

You may have a look at Tools >> IME Console Window and see if you are getting any specific errors

ankurs2008 Wed, 06/11/2008 - 12:14

hi happs

i have seen and observed that events come on the IME and suddenly one day it will stop coming and are stopped till next few days , and again it starts coming .When the events donto come those days i have observed that the events do come on the sensor itself

This kind of trend clearly says that it may happen due to database issue .Please let me know till what time the database will store events .Is there any probability that the events coming on the sensor do not reach the IME Machine (conside 443 port is opened and the sensor is showing as connected)

Ankur

lekeosi11 Tue, 06/24/2008 - 06:39

Had a similar issue. Took a look at the client-log file in the Program Files\Cisco Systems\Cisco IPS Manager Express\log folder. The last entries had an error about a crashed table. Repaired the mysql table from the command line amd restarted IME. I can now see events in IME.

Farrukh Haroon Wed, 06/25/2008 - 11:13

What is the command to do this, for future refence(sorry I am not a DB guy)

Regards

Farrukh

lekeosi11 Fri, 06/27/2008 - 02:12

Quick way to do this.

Open up a command prompt on Windows

Change directory to the Cisco IME folder. (in my case, this was C:\Program Files\Cisco Systems\Cisco IPS Manager Express>)

Type the following commands:

more my.ini (look for the port value, in my case it was 47007)

cd MYSQL\bin (takes you to the directory containing the mysql executable)

mysqlcheck.exe -P 47007 --auto-repair alarmDB

You can change 47007 to whatever value you came up with in the my.ini file. The alarmDB dtabase is where Cisco IME stores it's data. The last command will run a check on all the tables in the database. If you know the particular table that's having issues, you can use :

mysqlcheck.exe -P 47007 --auto-repair alarmDB tablename

eg

mysqlcheck.exe -P 47007 --auto-repair alarmDB event_table_1

HTH

pmccubbin Wed, 06/25/2008 - 11:47

Hi Adeleke,

Thanks for posting a great response. I rate it a "5" for all of us who might have to troubleshoot this in the future. It's always nice to know what to look for instead of simply making an educated guess.

Best,

Paul

Kamal Machareka Mon, 08/16/2010 - 15:20

I found the response about refreshing the SQL database table valuable, but it didn't fix my problem. In my case it was an expired certificate. To fix this I issued the "tls generate-key" command from the IPS command prompt, then in IME select the sensor from "Home" then "Edit" and click "Ok" without any changes. It will prompt you to accept the new certificate and the Events Connection started working normally ever since.

Hope this helps.

ugabichipaopao Sun, 12/12/2010 - 07:18

Hi, 

I am doing exactly what is described and I get a next error : 

mysqlcheck.exe: Got error: 1045: Access denied for user 'ODBC'@'localhost' (usin g password: NO) when trying to connect

Event status still Not connected! Please help with this issue.

srikanthmavelikara Tue, 12/28/2010 - 22:27

I am also getting the same error while troubleshooting the events issue.

Is this an error related to SQL?

tejeu_tejeu Wed, 07/20/2011 - 05:28

Dear All,

I am also facing the same error:

1.mysqlcheck.exe: Got error: 1045: Access denied for user 'ODBC'@'localhost' (usin g password: NO) when trying to connect

2.I am able to see only real time events but not able to view any past logs on IME (IPS Manager Express)? what are possible cause? I am able to see the events in IDM

We are using ASA-SSM-10 module, Engine version 7.0(5)E4

Steps taken to resolve this issue:

I have deleted and re-added the devices

Restarted the services Steps taken to resolve this issue:
I have deleted and re-added the devices
Restarted the services

Kindly help on this issue.

Regards,

Tej

Actions

This Discussion