Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1599
Views
4
Helpful
3
Replies

AIP-SSM 20 Logging

marcusbrutus
Level 1
Level 1

‎05-23-2010 11:08 PM - edited ‎03-10-2019 05:00 AM

Hi,

Just finished researching on options concerning the aip-ssm 20 module and am now at a dead end.  I understand that there is no option for syslog, email alerts.  SNMP apparently is only for critical-device related alerts.  The thing is i am desperate to find a way to forward logs from the ips which i can view via asdm event viewer to a central log server.  Is this possible via some scripting or third party application?

Thanks.

Labels:
0 Helpful
3 Replies 3

Scott Fringer
Cisco Employee
Cisco Employee

‎05-24-2010 05:56 AM

Cisco's IPS sensors support event retrieval via the Security Device Event Excahnge (SDEE) protocol.  There are several products that support this protocol (Cisco IPS Manager Express [IME] is a free option, CS-MARS, and other 3d party solutions).  IME and CS-MARS can be configured to generate email alerts for signature events.

You can enable the sensor to generate a SNMP trap for specific signatures, but do understand that details in trap-based signature events is less than that provided via SDEE.  You need to enable the sensor to generate detailed traps for alerts, and then assign the 'Request SNMP Trap' action to the signatures of interest (or assign to a range of risk ratings via an event action override (EAO)).  This option is not recommended as an action to be assigned to all signatures on the sensor.

Scott

ericb_summit
Level 1
Level 1
In response to Scott Fringer

‎05-25-2010 02:41 PM

Hi Scott,

While on this topic, we've hacked together something that does a half decent job of polling events from the IDS through SDEE in query mode.  So we hit the IDS every 15 seconds and ask for the events since the last event.  Then, we log these events and fire off suitable alerts as needed.  This is all fine, however, the "events retrieval"  flag in the sensor health metrics is always critical as if we had never retrieved the events.  So, I realize I can turn that sensor health metric off, but the question is, why doesn't it mark the events as read?

Also, how can I get a copy of the SDEE Specification as mentioned in the Reference documents of this note:

http://www.cisco.com/en/US/docs/security/ips/specs/CIDEE_Specification.htm

It says "available upon request".  Well, I'm requesting

Regards,

Eric

0 Helpful

Scott Fringer
Cisco Employee
Cisco Employee
In response to ericb_summit

‎05-26-2010 03:43 AM

Eric;

  The SDEE server metric is looking for retrieval via a subscription.  Query mode does not provide this connection, and hence the metric does not get reset.

Scott

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card