cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
952
Views
0
Helpful
5
Replies

Cisco IPS ASA SSM-10

leo_zidane
Level 1
Level 1

I am using an ASA SSM-10 IPS. Currently it keeps logging those event of alerts.

Where does the IPS keeps all those event logs? In the disk space?

Where can i see how much space i left?

Will it went down if the space is full?

1 Accepted Solution

Accepted Solutions

You don't need to clear it, its CIRCULAR and will over-write itself. More info can be found here:

http://www.cisco.com/en/US/docs/security/ips/6.0/configuration/guide/cli/cliArch.html#wp1010399

The command is 'clear events'

You cannot delete 'invidual' events. Its all or none.

Yes the best way is to tune the IPS for false positives by either editing/disable unwanted signature or use event action filters.

Regards

Farrukh

View solution in original post

5 Replies 5

Which one is the event logging report store at?

If the disk is full what will happen? Will the sensor overwrite or down?

For example:

Using 475115328 out of 534229087 bytes of available memory (90% usage)

system is using 13.5M out of 22.0M bytes of available disk space (53% usage)

application-data is using 34.6M out of 168.9M bytes of available disk space (22% usage)

boot is using 30.7M out of 64.5M bytes of available disk space (55% usage)

application-log is using 489.4M out of 3.0G bytes of available disk space (18% usage)

This is from the post I linked earlier, and you don't have to worry the sensor will definitely not go 'down', the event-log data structure is circular and is over-written every time it is full.

"The eventStore size starting at version 5.0(1) is a fixed 30 Meg. Its a *circular* eventStore that is intended to wrap (new events overwriting oldest events). The usual sensor deployment includes some sort of remote event monitor application (like IEV,IME etc.) that pulls events from the sensor. The eventStore acts as a buffer to allow the remote monitoring app to keep up with busy sensors. If your eventStore wraps every few hours then the monitoring app should be able to keep up with all the events being generated. The concern would be if the eventStore continuously wrapped in less than 10 or 15 minutes. At that point you may be loosing events and would need to tune the sensor signature config to only alarm on meaningful events."

I'm assuming since the event-store is only 30 MB, its a 'part' of one of the following parititions:

application-data OR application-log

Most probably the first one.

Regards

Farrukh

By default, the event-store is only 30MB is it? So i do not need to clear the event log data is it since it will overwrite?

what is the command to clear the event log data?

There is no way you can configure the event-store setting except only to specify the alarm on meaningful events?

You don't need to clear it, its CIRCULAR and will over-write itself. More info can be found here:

http://www.cisco.com/en/US/docs/security/ips/6.0/configuration/guide/cli/cliArch.html#wp1010399

The command is 'clear events'

You cannot delete 'invidual' events. Its all or none.

Yes the best way is to tune the IPS for false positives by either editing/disable unwanted signature or use event action filters.

Regards

Farrukh

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: