IDS not generating events

Unanswered Question
Feb 10th, 2009

IDS is not generating events.

Following message shows up in the event log.

evError: eventId=1230128220192233058 vendor=Cisco severity=error


hostId: SI-IDS01

appName: mainApp

appInstanceId: 397

time: Feb 10, 2009 04:51:02 UTC offset=-300 timeZone=GMT-05:00

errorMessage: sentinel getLicenseInfo not successful: 0X12 name=errUnclassified

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
rhermes Wed, 02/11/2009 - 10:44

I'm not familiar with that error message, but a licensing error should not prevent the sensor from processing events, only signature updates.

Was this sensor working correctly and then stopped? Is this a new sensor?

I usualy forget to assign an interface to virtualsensor0 (vs0) that can cause this problem.

vagarwal81 Wed, 02/11/2009 - 10:51

Sensor was working correctly till last week.

all interfaces have assigned virtual sensor.

rhermes Wed, 02/11/2009 - 11:46

Is your sensor in promiscious or in line mode? If it's promiscious, are you getting traffic? (show interface) and is the virtual sensor getting traffic? (show stat analysis)

Have you installed any upgrades or new sig packs around the time this problem started?

I hope you've tried rebooting the sensor.

vagarwal81 Wed, 02/11/2009 - 12:08

it is in promiscious mode.

IDS is seeing traffic, have tried rebooting no effect.

I did install new sig updates, but that shouldn't cause any issues.

vagarwal81 Thu, 02/12/2009 - 07:24

another error message that IDS is now reporting

evError: eventId=1230128220192228569 vendor=Cisco severity=error


hostId: SI-IDS01

appName: mainApp

appInstanceId: 397

time: Feb 07, 2009 13:35:04 UTC offset=-300 timeZone=GMT-05:00

errorMessage: IPS software attempted to write invalid XML data for (token). Invalid XML character(s) were replaced with '*' name=errWarning

rhermes Thu, 02/12/2009 - 09:11

Signature updates sometime hide engine updates and certainly have taken out our sensors in the past. Assuming that isn't the case here (I think the 4240's have been more stable than most models), you can try to reimage your sensor software from the restore partition.


This Discussion