IDS not generating events

Unanswered Question
Feb 10th, 2009
User Badges:

IDS is not generating events.

Following message shows up in the event log.


evError: eventId=1230128220192233058 vendor=Cisco severity=error

originator:

hostId: SI-IDS01

appName: mainApp

appInstanceId: 397

time: Feb 10, 2009 04:51:02 UTC offset=-300 timeZone=GMT-05:00

errorMessage: sentinel getLicenseInfo not successful: 0X12 name=errUnclassified


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rhermes Wed, 02/11/2009 - 10:44
User Badges:
  • Gold, 750 points or more

I'm not familiar with that error message, but a licensing error should not prevent the sensor from processing events, only signature updates.

Was this sensor working correctly and then stopped? Is this a new sensor?

I usualy forget to assign an interface to virtualsensor0 (vs0) that can cause this problem.

vagarwal81 Wed, 02/11/2009 - 10:51
User Badges:

Sensor was working correctly till last week.

all interfaces have assigned virtual sensor.

rhermes Wed, 02/11/2009 - 11:46
User Badges:
  • Gold, 750 points or more

Is your sensor in promiscious or in line mode? If it's promiscious, are you getting traffic? (show interface) and is the virtual sensor getting traffic? (show stat analysis)

Have you installed any upgrades or new sig packs around the time this problem started?

I hope you've tried rebooting the sensor.

vagarwal81 Wed, 02/11/2009 - 12:08
User Badges:

it is in promiscious mode.

IDS is seeing traffic, have tried rebooting no effect.

I did install new sig updates, but that shouldn't cause any issues.

vagarwal81 Thu, 02/12/2009 - 07:24
User Badges:

another error message that IDS is now reporting


evError: eventId=1230128220192228569 vendor=Cisco severity=error

originator:

hostId: SI-IDS01

appName: mainApp

appInstanceId: 397

time: Feb 07, 2009 13:35:04 UTC offset=-300 timeZone=GMT-05:00

errorMessage: IPS software attempted to write invalid XML data for (token). Invalid XML character(s) were replaced with '*' name=errWarning


rhermes Thu, 02/12/2009 - 09:11
User Badges:
  • Gold, 750 points or more

Signature updates sometime hide engine updates and certainly have taken out our sensors in the past. Assuming that isn't the case here (I think the 4240's have been more stable than most models), you can try to reimage your sensor software from the restore partition.

Actions

This Discussion