cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2553
Views
3
Helpful
11
Replies

Backup events from IDS 4215

davidbuit
Level 1
Level 1

Is it possible to copy the IPS event log files to a server from a Cisco IPS 4215 device?

11 Replies 11

rhermes
Level 7
Level 7

Assuming you want to be able to look thru the events and find somthing of intrest at a later date: if you have 5 or less sensors, try using the free Cisco Manager Express

http://www.cisco.com/cgi-bin/tablebuild.pl/ips-ime

If you have more than 5 sensors, you're looking for a SIM like Cisco's CS-MARS, Netforesenics, Intelitactics, etc...

Hi Guys I would Really appreciate If someone can help me in finding out

How I can backup my previous Logs from IME

You might find that IME>File>Export would work well for you.  Unlike IME's embeded Event Monitoring tool's limitation of the last 999 hours, the export can export data going well beyond that.  I'm not sure if Cisco has a limit to IME's data retention, or will insitiute a limit in IME.  My export takes me back to what I believe is the date I installed the software, June 2008.  (unix dates, BTW).

The version of IME I use is 6.2.1.  Hopefully the same capability remains in future versions of IME.

thanks for the Reply ,

If i will export data from IME for December , after export would it delete from database ?

As i have exported data for December Period , But I DB size is same , and When i serach Any event from DEcember time frame , I can see events , I am actually wondering , IF after export data dont get exported then eventually My Db size is huge ?

I have performed the export multiple times and I still see 2008 data in it.  So, it may not be removing anything.

If there is a size/date limit to IME's locally retained data, I do not know what it would be.  Maybe someone from Cisco can address this authoritatively.

Thanks ,

Let me discuss with one of My Supplier , Because as far as i have serached I have not fine any published document from Cisco about IME in detail

thanks for replying

Have you ever experienced , that if you close IME application it dont collect logs for that specific time interval and then When you run the appliaction , it cannot get thopse alarams from IPS ,

I hope you understand what I mean ...

MY ime stop responsing on Friday night and when on Monday Morning I try to pull report from IME , It cannot reterive Data .... What I belive It should be able to reterive it as that Data Should be stored on IPS buffers ... ??? when i try to check events from lat 72 Hurs i can see very less events from Sat and sunday date , howveer they are very low triggered alarms as compared to proviouse weekend days

what you suggest

The events processing is done by the service at the end. If the IME console is closed, the service should keep running (under normal operation).

There is a bug in IME that causes it to shutdown its service everytime you logoff from your machine, maybe this is the bug you are hitting.

Exporting the events should not delete them from the database.

Also the new IME supports upto 10 IPS devices, not just 5.

Please rate if helpful.


Regards

Farrukh

Thanks Haroon, It was  helpful ,

So is there any way to decrease the size of Database (because I see Lot of files in the Data Folder , but i am unable to findout how they increment , Because there is not specific pattern like if one file come to that specific size , or it increment after 1 week),

Secondly , Is there any workaround to sort this stop services ... bug , When ever i close IME it dosent record data for that specific time interval.

Regards

I'm sorry but I don't think Cisco publically release any internal of the database. It would be better if you open a case for this or have someone from Cisco comment at this.

I would expect the service down issue to be solved in a future release, because it is a major pain.

Regards


Farrukh

Thanks

Well I tried Copying SQL data folder and it worked with NEW installation .... I can Extract the Information in those dates

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: