Security Monitoring - Connections

Unanswered Question
gfullage Mon, 09/26/2005 - 19:54
User Badges:
  • Cisco Employee,

Connection states for sensors are written into a table in the database by the receiver collector object (the IDS_Receiver daemon). That status is then what is presented in this web page. This means that if the receiver thread hangs or is not currently running, whatever state was last written to the database table will be displayed. Check your IDS_Receiver process on the server to make sure it is still running. Also keep in mind that this web page is static, so the status of any particular sensor won't change unless you refresh the page.

As for what the Paused state means precisely:

Means that the collector for this device is waiting for the system to clear a large backload of data that is waiting to be inserted into the database. This can occur if the rate of flow of events overwhelms the receiver and usually indicates that the database has grown too large (more than 2 million IDS or Syslog events) or the system is very busy (servicing event viewer, generating reports, pruning, etc.). It usually takes several minutes (fifteen or more) for the system to recover to the point where it can begin collecting events again.


This Discussion