Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1071
Views
0
Helpful
6
Replies

Event Retrieval Issue

Go to solution
c1szhibin
Level 1
Level 1

‎06-01-2015 07:17 PM - edited ‎03-10-2019 06:23 AM

I noticed that the sensor health on IPS showing "Critical".

And I clicked for the details, it showed the event retrieval is critical and not retrieved now. I don't know what does that mean.

Can anyone tell me what causes this information and how to fix it?

 

Labels:
Preview file
31 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Akshay Rastogi
Cisco Employee
Cisco Employee
In response to c1szhibin

‎06-15-2015 04:13 AM

Hi,

In that case, this Event Retrieval can be ignored as mentioned in the last Reply. You need IME to pull Events.  It is not causing any issue.

 

 As we know IDM cannot pull events from the IPS/AIP directly and we will need IME for that, so if the events were not polled for an amount of time (default of 300 for yellow status) and (default of 600 sec for RED), the event status will change colors.

So it's either Event Retrieval is enabled and the IME is not installed, hence no events are being polled, then this error can be ignored and the event polling can be disabled safely (un-check the Event Retrieval checkbox), OR the IME is not operating as it should and there might be communication issue between the device and the IME.

 

Please let me know if you have any further query on this. If this answers your query, I would request you to select the appropriate response as the solution for this thread.

Regards.

Akshay Rastogi

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Akshay Rastogi
Cisco Employee
Cisco Employee

‎06-02-2015 07:49 PM

Hi,

Event Critical : Lets you set a threshold for when the last event was retrieved and whether this metric is applied to the overall sensor health rating.

http://www.cisco.com/c/en/us/td/docs/security/ips/7-0/configuration/guide/idm/idmguide7/idm_sensor_management.html#wpxref98287

This health parameter allows us to set a threshold for when the last event was retrieved from the sensor. The health status is degraded to yellow or red depending on the time interval that has been configured for corresponding thresholds. The range of threshold is 0 to 4294967295 seconds.

 

Check the show tech from the IPS/AIP and search for “Health Status for the Time Since Last Event Retrieval”, it should be showing RED as well. As we know IDM cannot pull events from the IPS/AIP directly and we will need IME for that, so if the events were not polled for an amount of time (default of 300 for yellow status) and (default of 600 sec for RED), the event status will change colors.

So it's either Event Retrieval is enabled and the IME is not installed, hence no events are being polled, then this error can be ignored and the event polling can be disabled safely (un-check the Event Retrieval checkbox), OR the IME is not operating as it should and there might be communication issue between the device and the IME.

 

Or if it is giving a certificate error or something check 'show version and see if the Host certificate has expired(mentioned at last of show version). If yes, then run the command 'tls generate-key'.

 

Please let me know if you have any query on this.

Regards,

Akshay Rastogi

0 Helpful

Go to solution
c1szhibin
Level 1
Level 1
In response to Akshay Rastogi

‎06-11-2015 12:27 AM

After I run the command "tls generate-key" , the notification still exists.

0 Helpful

Go to solution
Akshay Rastogi
Cisco Employee
Cisco Employee
In response to c1szhibin

‎06-11-2015 01:14 AM

Hi,

Are are getting this Critical on IDM or IME? as i have mentioned in the last reply that the IDM would show this Event as Critical as it does not pull Events from IPS directly and it need IME to do so.

Regards,

Akshay Rastogi

0 Helpful

Go to solution
c1szhibin
Level 1
Level 1
In response to Akshay Rastogi

‎06-14-2015 10:41 PM

I think it's on IDM. There is only one IPS running.
0 Helpful

Go to solution
Akshay Rastogi
Cisco Employee
Cisco Employee
In response to c1szhibin

‎06-15-2015 04:13 AM

Hi,

In that case, this Event Retrieval can be ignored as mentioned in the last Reply. You need IME to pull Events.  It is not causing any issue.

 

 As we know IDM cannot pull events from the IPS/AIP directly and we will need IME for that, so if the events were not polled for an amount of time (default of 300 for yellow status) and (default of 600 sec for RED), the event status will change colors.

So it's either Event Retrieval is enabled and the IME is not installed, hence no events are being polled, then this error can be ignored and the event polling can be disabled safely (un-check the Event Retrieval checkbox), OR the IME is not operating as it should and there might be communication issue between the device and the IME.

 

Please let me know if you have any further query on this. If this answers your query, I would request you to select the appropriate response as the solution for this thread.

Regards.

Akshay Rastogi

0 Helpful

Go to solution
c1szhibin
Level 1
Level 1
In response to Akshay Rastogi

‎06-29-2015 01:50 AM

Thank you for ur kindness. After what u said, the following is my solution.

Configuration -> IPS -> Sensor Management -> Sensor Health

no tick the box of “Event Retreval”

 

Preview file
39 KB
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card