07-18-2008 02:23 AM - edited 03-10-2019 04:12 AM
Hi,
Could anyone please tell me where can I find the information regarding the Fields of the log for IPS 4200? In what sequence do they appear in log files and what does each field signify?
Basically, I need the layout of the log file for the IPS logs. e.g. a sample layout would be something like this:
[timestamp] , [signatureID] , [vendor] [signature desc], [attacker IP] , [victim IP] , [attack type] , [action ID] , [action desc]
Thanks.
Regards,
Pratik
07-18-2008 08:09 AM
Pratik -
There are two ways of getting event messages out of a sensor. The standard is SDEE, which is just XML that you can look inside to see the tags on each field. They like to call it "self documenting". The second (and more difficult because it requires you to tune each active signature) is syslog.
Which log format are you looking for?
07-18-2008 08:48 AM
Thanks rhermes.
I am more interested in the fields that are there in the logs and not the actual format of the log.
I am trying to find out what information is available in the logs. e.g. attacker IP, victim IP, signatureID etc...
the format of the logs (SDEE/syslog) doesnt matter.
Total of how many fields are there for each log and what does each field mean.
I am really sorry if this sounds silly but I am new to the IPS stuff and couldnt get the info I wanted on the cisco site.
Please let me know if anyone could pls share this info with me. It would be really helpful to me.
Thanks.
Regards,
Pratik
07-18-2008 02:25 PM
Here's an example of an SDEE message. I believe this is from a version 5.x sensor (it could be version 4, I don't see Risk Rating). Each time a new major version of software is release, new features are added and (if reportable) they show up as new fields in the SDEE messages.
-
-
-
-
-
-
-
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide