I am not quite sure this is the good place to post this but let's try:
Consider that I have a switch (e.g. 4500) on which I configure a SPAN destination port connected to an IPS (e.g. 4260). This is quite a standard architecture.
My question will be very simple and concerns more the switch than the IPS: how do I detect (via SNMP or Syslog) that the SPAN port has been disabled by someone on connected on the switch?