Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

cisco ips logging options (SDEE, IME, Archiving)

Based on the following post, cisco IPS' can send basic syslog messages:

Does anyone know which messages are sent via syslog?

Also, I understand the Cisco IME can be used to retrieve SDEE logs. I understand it can archive files. I need to make sure the logs are archived, and kept for at least a year. My concern for Cisco IME is that I won't know if the IME application fails or not. I believe it needs to be running in order for it to retrieve the SDEE logs.

Also, if the max number of archived files ever hits, is it possible to move old files to another folder? And then move those files back when they need to be viewed in the IME?

I am also hitting a deadend when it comes to finding alternatives for logging SDEE events. Splunk used to have a tool that could do this. But it is now deprecated. Anyone aware of any good SDEE retrival tools?

Any suggestions are appreciated

Everyone's tags (1)
New Member

I'm using Log Rhythm via SDEE

I'm using Log Rhythm via SDEE to retreive and store all the IPS events and it works great. Pretty easy to integrate and setup alerts and such.

I would imagine Splunk still supports it, probably just has to be done another way or something. I can't imagine how big an install base Splunk has and not support SDEE any more.

New Member

Thanks Seth. Have you ever

Thanks Seth. Have you ever tried just using the Cisco IME?

New Member

Sorry but I haven't ever used

Sorry but I haven't ever used IME for logging purposes. We have compliance requirements that have set timelines for archives and whatnot, so it's easier to manage it with our other logs.

Hall of Fame Super Silver

There are very few IPS

There are very few IPS-related syslog messages generated -  primarily health of the overall sensor device or platform. Anything useful as far as actual IPS intrusion events, attempts etc. will only be available on the legacy Cisco IPS platforms via SDEE.

Cisco IME (free, limited number of managed devices, runs on a PC without any real archiving etc.) is the least cost option to retrieve and display the events.

Stepping up in the Cisco offerings would be to use Cisco Security Manager. It does archiving, hierarchical storage etc. However it's days are numbered as Cisco revamps both  the IPS and traditional ASA features to account for both their development of CX-related products (including IPS) and the SourceFire product line. I don't now that I'd recommend CSM for a new buy.

If you have existing Cisco IPS and really need to archive the SDEE-retrieved events, then you could use LogRhythm or such as noted in the earlier reply.

CreatePlease login to create content