AIP-SSM 20 Logging

Unanswered Question
May 23rd, 2010

Hi,


Just finished researching on options concerning the aip-ssm 20 module and am now at a dead end.  I understand that there is no option for syslog, email alerts.  SNMP apparently is only for critical-device related alerts.  The thing is i am desperate to find a way to forward logs from the ips which i can view via asdm event viewer to a central log server.  Is this possible via some scripting or third party application?


Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Scott Fringer Mon, 05/24/2010 - 05:56

Cisco's IPS sensors support event retrieval via the Security Device Event Excahnge (SDEE) protocol.  There are several products that support this protocol (Cisco IPS Manager Express [IME] is a free option, CS-MARS, and other 3d party solutions).  IME and CS-MARS can be configured to generate email alerts for signature events.


You can enable the sensor to generate a SNMP trap for specific signatures, but do understand that details in trap-based signature events is less than that provided via SDEE.  You need to enable the sensor to generate detailed traps for alerts, and then assign the 'Request SNMP Trap' action to the signatures of interest (or assign to a range of risk ratings via an event action override (EAO)).  This option is not recommended as an action to be assigned to all signatures on the sensor.


Scott

ericb_summit Tue, 05/25/2010 - 14:41

Hi Scott,


While on this topic, we've hacked together something that does a half decent job of polling events from the IDS through SDEE in query mode.  So we hit the IDS every 15 seconds and ask for the events since the last event.  Then, we log these events and fire off suitable alerts as needed.  This is all fine, however, the "events retrieval"  flag in the sensor health metrics is always critical as if we had never retrieved the events.  So, I realize I can turn that sensor health metric off, but the question is, why doesn't it mark the events as read?


Also, how can I get a copy of the SDEE Specification as mentioned in the Reference documents of this note:


http://www.cisco.com/en/US/docs/security/ips/specs/CIDEE_Specification.htm


It says "available upon request".  Well, I'm requesting


Regards,


Eric

Scott Fringer Wed, 05/26/2010 - 03:43

Eric;


  The SDEE server metric is looking for retrieval via a subscription.  Query mode does not provide this connection, and hence the metric does not get reset.


Scott

Actions

This Discussion