Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
551
Views
4
Helpful
6
Replies

AIP-SSM20 Event Store

cmyip
Level 1
Level 1

‎09-26-2008 01:35 AM - edited ‎03-10-2019 04:18 AM

Anyone know is there a way to retrieve/backup the events in the AIP-SSM20 event store ?

I had read through their manual/white paper, but it didn't mention anything about retrieving/backing up the event store except on how to clear it.

Thanks.

CMYip

Labels:
0 Helpful
6 Replies 6

suschoud
Cisco Employee
Cisco Employee

‎09-26-2008 05:36 AM

The IDS Sensor can not archive the signature events for a long time as they have a fixed memory space in order to store the signature events, which is overwritten when full. But, these events can be stored to an external management system such as CiscoWorks VPN/Security Management Solution (VMS), Cisco Security Monitoring, Analysis and Response System (CS-MARS), or IDS Event Viewer (IEV).

Refer to Cisco Downloads in order to download the IDS Event Viewer.

Do rate helpful posts.

Regards,

Sushil

0 Helpful

rhermes
Level 7
Level 7
In response to suschoud

‎09-26-2008 09:23 AM

suscoud is right. Cisco has shrunk the event store as they have moved from hard disk based sensors to flash based with less storage. You have to get your events off the sensor or you will loose them. In addition to the methods suscoud mentioned above you also use SNMP if you set the action on each active signature you want to alert to send an SNMP Trap when they fire. This does not send as much information as an SDEE feed to VMS/CS-MARS/IEV.

0 Helpful

mathias.mahnke
Level 1
Level 1
In response to rhermes

‎09-28-2008 10:25 AM

There is also the IEV successor called Cisco IME (IPS Manager Express), which can manage up to 5 IPS devices and also can pull and store events.

http://www.cisco.com/cgi-bin/tablebuild.pl/ips-ime

cmyip
Level 1
Level 1
In response to mathias.mahnke

‎09-30-2008 01:24 AM

Thanks for all the reply. I'm using the IME now, but i don't see any option saving the store events to hard disk.

I will try out the IDS Event Viewer later. I read that it had a archive feature that can store the event to hard disk.

Will let you guy know the result later.

CMYip

0 Helpful

vpersaud001
Level 3
Level 3
In response to cmyip

‎10-24-2008 11:52 AM

Does anyone know how to retrieve the archived data? I upgraded from IEV to IME but need to track down the old data for a PCI audit. Any help will be greatly appreciated. Thanks.

0 Helpful

vpersaud001
Level 3
Level 3
In response to vpersaud001

‎10-27-2008 01:09 PM

Anyone?? Thanks.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card