James Thomas Fri, 11/20/2009 - 15:43
User Badges:

Yes, you can use mars or IME (any combination) to both simultaneously pull alerts using sdee from the sensor.

Farrukh Haroon Sun, 11/22/2009 - 06:00
User Badges:
  • Red, 2250 points or more

MARS and IME both use the 'pull' event architecture to retrive events from IPS devices, and as already answered both can 'pull' events from the same IPS device simultaneously without any issues (except the performance lag). IME will store events in its MSDE database and MARS has its own oracle database (which can be archived using unix NFS). IME is limited to 10 sensors tough.


Regards


Farrukh

000000jbl Tue, 11/24/2009 - 08:02
User Badges:

Ok, so do I understand correctly that there is no way to have IDSM send its logs out to a generic log server?  I undersatd SDEE and the "pulling" of events from IDSM.  Is there no way to have IDSM push?  Maybe via syslog rather than SDEE?

Farrukh Haroon Tue, 11/24/2009 - 12:55
User Badges:
  • Red, 2250 points or more

You are correct, the IPS does not support syslog reporting. You can enable SNMP traps on a per signature basis tough. But once has to be careful not to over whelm the IPS Cpu/memory resources in doing so.


Regards


Farrukh

Actions

This Discussion

Related Content