AIP-SSM20 Event Store

Unanswered Question
suschoud Fri, 09/26/2008 - 05:36
User Badges:
  • Gold, 750 points or more

The IDS Sensor can not archive the signature events for a long time as they have a fixed memory space in order to store the signature events, which is overwritten when full. But, these events can be stored to an external management system such as CiscoWorks VPN/Security Management Solution (VMS), Cisco Security Monitoring, Analysis and Response System (CS-MARS), or IDS Event Viewer (IEV).


Refer to Cisco Downloads in order to download the IDS Event Viewer.




Do rate helpful posts.



Regards,

Sushil

rhermes Fri, 09/26/2008 - 09:23
User Badges:
  • Gold, 750 points or more

suscoud is right. Cisco has shrunk the event store as they have moved from hard disk based sensors to flash based with less storage. You have to get your events off the sensor or you will loose them. In addition to the methods suscoud mentioned above you also use SNMP if you set the action on each active signature you want to alert to send an SNMP Trap when they fire. This does not send as much information as an SDEE feed to VMS/CS-MARS/IEV.

vpersaud001 Fri, 10/24/2008 - 11:52
User Badges:

Does anyone know how to retrieve the archived data? I upgraded from IEV to IME but need to track down the old data for a PCI audit. Any help will be greatly appreciated. Thanks.

Actions

This Discussion