Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

CIsco IPS 4200 Log Fields

Hi,

Could anyone please tell me where can I find the information regarding the Fields of the log for IPS 4200? In what sequence do they appear in log files and what does each field signify?

Basically, I need the layout of the log file for the IPS logs. e.g. a sample layout would be something like this:

[timestamp] , [signatureID] , [vendor] [signature desc], [attacker IP] , [victim IP] , [attack type] , [action ID] , [action desc]

Thanks.

Regards,

Pratik

3 REPLIES
Gold

Re: CIsco IPS 4200 Log Fields

Pratik -

There are two ways of getting event messages out of a sensor. The standard is SDEE, which is just XML that you can look inside to see the tags on each field. They like to call it "self documenting". The second (and more difficult because it requires you to tune each active signature) is syslog.

Which log format are you looking for?

New Member

Re: CIsco IPS 4200 Log Fields

Thanks rhermes.

I am more interested in the fields that are there in the logs and not the actual format of the log.

I am trying to find out what information is available in the logs. e.g. attacker IP, victim IP, signatureID etc...

the format of the logs (SDEE/syslog) doesnt matter.

Total of how many fields are there for each log and what does each field mean.

I am really sorry if this sounds silly but I am new to the IPS stuff and couldnt get the info I wanted on the cisco site.

Please let me know if anyone could pls share this info with me. It would be really helpful to me.

Thanks.

Regards,

Pratik

Gold

Re: CIsco IPS 4200 Log Fields

Here's an example of an SDEE message. I believe this is from a version 5.x sensor (it could be version 4, I don't see Risk Rating). Each time a new major version of software is release, new features are added and (if reportable) they show up as new fields in the SDEE messages.

-

-

testsensor4250XL

sensorApp

440

Sdee

10.1.1.119

10.1.1.119

0

1

-

R0VUIC9vc3Mvc3VydmV5LmFzcD7pdW1kYXlzPTUrMyBIVFRQ0=

-

-

-

11.1.1.2

60556

-

61.1.1.76

80

374
Views
0
Helpful
3
Replies