IDS events routing to Syslog server

shabiersayed · ‎02-11-2006

Hi,

I have cisco IDS (4235, 4250) and i want to route all events (false positives or what ever) to my syslog server (Kiwi's). could anybody help me how to configure?

Regards,

Shabbir

wsulym · ‎02-12-2006

The cisco IDS/IPS sensor appliances do not support sending alerts via syslog.The alerts can be obtained via and RDEP/SDEE client depending on what version of sensor software you run, we also support sending alerts via snmp in later versions. See the following link for snmp:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids12/idmguide/dmsnmp.htm

shabiersayed · ‎02-12-2006

Hi,

Thank you very much. Actually I have NetIQ Security Manager, where i used to manage all events. Now i need to manage IDS messages to be logged centrally to a Syslog Server and from where my NetIQ agent will pickup events and forward to Security event manager. I appreciate if you can help me out how should i go further.??

Regards,

wsulym · ‎02-12-2006

I'm not very familiar with NetIQ ... so I looked on their website briefly, it appears that they support Cisco IDS sensors, but only version 4.x via some sort of agent. I also found on the FAQ for Security Manager that if there is no explicit support for the device, as long as the device sends its logs and security event data to SNMP, syslog, an ASCII text file, Windows Event log, or can be monitored through WMI (don't know what that is), the device can still be monitored by the NetIQ software.

Since the ver 5.x sensor can send SNMP traps for event data (link from my earlier post), the rest seems to be NetIQ related and is probably better addressed by their tech support, or maybe someone else on the forum has done this and can provide insight.