MARS and IME both use the 'pull' event architecture to retrive events from IPS devices, and as already answered both can 'pull' events from the same IPS device simultaneously without any issues (except the performance lag). IME will store events in its MSDE database and MARS has its own oracle database (which can be archived using unix NFS). IME is limited to 10 sensors tough.
Ok, so do I understand correctly that there is no way to have IDSM send its logs out to a generic log server? I undersatd SDEE and the "pulling" of events from IDSM. Is there no way to have IDSM push? Maybe via syslog rather than SDEE?
You are correct, the IPS does not support syslog reporting. You can enable SNMP traps on a per signature basis tough. But once has to be careful not to over whelm the IPS Cpu/memory resources in doing so.
Regards
Farrukh
Getting Started
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:
