IPS 4255 not logging

Answered Question
Sep 22nd, 2010
User Badges:

Hi ,


i have installed IPS 4255 with version 7.0(2)E4 and using IME 7.0.2.


i am not able to see the logs in the IME (Event Monitoring), but when i access it by CLI (show events) i can see the logs.


i also tried to tune a signature for ICMP large packet to log and deny traffic (using deny packet inlne and deny attaker inline), and ping


a server from inside to outside with a large packet. In this case, IME showed the logs but it did not deny the traffic.


i am missing something here ?


One more question, does IPS at least log the traffic for ip that are configured for "never block ip addresses"


Please i need some help.


Thank you and Regards,

George

Correct Answer by Scott Fringer about 6 years 8 months ago

George;


  1- OK, it's good that the event status is connected.


  2- By checking all four severities in the device properties you have instructed IME not to retrieve events of those four severities.  You need to uncheck those severities to allow IME to retrieve all event severities.  Please note, the text with IME is worded,"Exclude alerts of the following severity level(s)".


  3- If there are no real-time events, you will likely not have historical events.


  4- As your sensor is configured for both  inline and promiscuous operation, the deny  actions will only take  effect on signature events generated by the inline interface pair.  If  the signature event is generated by the promiscuous interface, the deny  action cannot be actioned.


  While your network may be completely IPv4; it is possible for systems running Windows and Mac OS X to have IPv6 enabled by default, and in turn generate this traffic on your network.


  If a signature event fires and has an action of 'Produce Alert' assigned, the IPS should log the activity regardless of the host being listed as do not block or not.


Scott

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Scott Fringer Tue, 09/28/2010 - 03:37
User Badges:
  • Cisco Employee,

George;


  Let me try to address your many questions in order:


You indicate not being able to see logs within IME, but you do see them on the IPS-4255's CLI:


  • does IME indicate the "Event Status" is connected?
  • when you added the IPS-4255 to IME, did you check any of the severity levels in bottom section of the device properties?  If so, this instructs IME to not retrieve events of that severity.
  • are you able to see real-time events but not historical events within IME?


You indicate you attempted deny traffic using the "Deny Packet Inline" action:

  • is the IPS-4255 configured for inline operation?  Deny actions are only actionable when the IPS-4255 is configured for inline operation, not promiscuous operation.
  • if an event was logged to IME it should include any actions taken, or configured and not taken, in the event details.


  The IPS-4255 will only log traffic for signature events that are triggered, if the signature event triggers for a host that is included in the 'never block' list, it should be logged.


Scott

gaboughanem Tue, 09/28/2010 - 08:09
User Badges:

Hi Scott,

Thank you for your reply and i will answer the questions that you asked for.

1- yes the Event status shows connected

2- in the Event Monitoring , i have checked all 4 levels to be retrieved by IME.

3- i did not checked for historical events, due to the fact that logs are not being shown in the IME Event Monitoring

    Actually i can see very shy events in the IME every few hours but with IPv6 as source and destination. I don't know

    where it is coming from, the whole network is IPv4. while on the CLI i can see many many events (using show events).

4- The IPS is configured as inline and promiscuous.


Sorry but i did not undestand the last sentence: "The IPS-4255 will only log traffic for signature events that are  triggered, if the signature event triggers for a host that is included  in the 'never block' list, it should be logged"


you mean that only events that are triggered are logged and if the ip address is in the "never block address" the IPS will not log it,  since it will not fire any signature for that ip address.



i am posting the configuration if this helps.


Thank you in advance for your help.



Regards,

George

Attachment: 
Correct Answer
Scott Fringer Tue, 09/28/2010 - 08:26
User Badges:
  • Cisco Employee,

George;


  1- OK, it's good that the event status is connected.


  2- By checking all four severities in the device properties you have instructed IME not to retrieve events of those four severities.  You need to uncheck those severities to allow IME to retrieve all event severities.  Please note, the text with IME is worded,"Exclude alerts of the following severity level(s)".


  3- If there are no real-time events, you will likely not have historical events.


  4- As your sensor is configured for both  inline and promiscuous operation, the deny  actions will only take  effect on signature events generated by the inline interface pair.  If  the signature event is generated by the promiscuous interface, the deny  action cannot be actioned.


  While your network may be completely IPv4; it is possible for systems running Windows and Mac OS X to have IPv6 enabled by default, and in turn generate this traffic on your network.


  If a signature event fires and has an action of 'Produce Alert' assigned, the IPS should log the activity regardless of the host being listed as do not block or not.


Scott

gaboughanem Tue, 10/05/2010 - 10:09
User Badges:

Hi Scott ,


i have unchecked the information severity to allow IME to retrieve all event severities. i don't know why i have checked it in the first place, but the logs became visible in the IME. i don't know why 98% of the firing signature are informational ?  Maybe because the IPS is installed behine an ASA!!!!


one more question if not too much trouble, if i close the IME will the logs be lost? how much the IPS keeps the logs before it override new ones?


Anyway thank you very much for your help.


Regards,

George

Scott Fringer Tue, 10/05/2010 - 10:45
User Badges:
  • Cisco Employee,

George;


  I'm glad you were able to get the event retrieval corrected, and are now seeing events within IME.


  In regard to your follow-on question; IME has two (2) services that run regardless of whether the GUI is running or not.  The two services are the 'Cisco IPS Manager Express Service' and the 'MySQL-IME' service.  The first service retreives events from the sensor as long as the Windows host system has connectivity to the managed sensor.  The second service is the database service which maintains the IME event database.  IME defaults to saving 1,000,000,000 events per database file, with a default of 100 files (these values are configurable).


  The IPS sensor itself has a ~32 MB circular buffer which holds events locally; once full it will begin overwriting older events.  As long as the IME service is pulling events, this should not be an issue.


Scott

Actions

This Discussion