Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Cisco IPS ASA SSM-10

I am using an ASA SSM-10 IPS. Currently it keeps logging those event of alerts.

Where does the IPS keeps all those event logs? In the disk space?

Where can i see how much space i left?

Will it went down if the space is full?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Cisco IPS ASA SSM-10

You don't need to clear it, its CIRCULAR and will over-write itself. More info can be found here:

http://www.cisco.com/en/US/docs/security/ips/6.0/configuration/guide/cli/cliArch.html#wp1010399

The command is 'clear events'

You cannot delete 'invidual' events. Its all or none.

Yes the best way is to tune the IPS for false positives by either editing/disable unwanted signature or use event action filters.

Regards

Farrukh

5 REPLIES
New Member

Re: Cisco IPS ASA SSM-10

Which one is the event logging report store at?

If the disk is full what will happen? Will the sensor overwrite or down?

For example:

Using 475115328 out of 534229087 bytes of available memory (90% usage)

system is using 13.5M out of 22.0M bytes of available disk space (53% usage)

application-data is using 34.6M out of 168.9M bytes of available disk space (22% usage)

boot is using 30.7M out of 64.5M bytes of available disk space (55% usage)

application-log is using 489.4M out of 3.0G bytes of available disk space (18% usage)

Re: Cisco IPS ASA SSM-10

This is from the post I linked earlier, and you don't have to worry the sensor will definitely not go 'down', the event-log data structure is circular and is over-written every time it is full.

"The eventStore size starting at version 5.0(1) is a fixed 30 Meg. Its a *circular* eventStore that is intended to wrap (new events overwriting oldest events). The usual sensor deployment includes some sort of remote event monitor application (like IEV,IME etc.) that pulls events from the sensor. The eventStore acts as a buffer to allow the remote monitoring app to keep up with busy sensors. If your eventStore wraps every few hours then the monitoring app should be able to keep up with all the events being generated. The concern would be if the eventStore continuously wrapped in less than 10 or 15 minutes. At that point you may be loosing events and would need to tune the sensor signature config to only alarm on meaningful events."

I'm assuming since the event-store is only 30 MB, its a 'part' of one of the following parititions:

application-data OR application-log

Most probably the first one.

Regards

Farrukh

New Member

Re: Cisco IPS ASA SSM-10

By default, the event-store is only 30MB is it? So i do not need to clear the event log data is it since it will overwrite?

what is the command to clear the event log data?

There is no way you can configure the event-store setting except only to specify the alarm on meaningful events?

Re: Cisco IPS ASA SSM-10

You don't need to clear it, its CIRCULAR and will over-write itself. More info can be found here:

http://www.cisco.com/en/US/docs/security/ips/6.0/configuration/guide/cli/cliArch.html#wp1010399

The command is 'clear events'

You cannot delete 'invidual' events. Its all or none.

Yes the best way is to tune the IPS for false positives by either editing/disable unwanted signature or use event action filters.

Regards

Farrukh

637
Views
0
Helpful
5
Replies
CreatePlease to create content