Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IDSM2 logging

Is it possible to send events from the IDSM2 to two different aggregation points simultaniously?  Say for instance, Cisco MARS and some other SIEM.

Everyone's tags (3)
4 REPLIES
New Member

Re: IDSM2 logging

Yes, you can use mars or IME (any combination) to both simultaneously pull alerts using sdee from the sensor.

Jim Thomas Cisco Security Course Director Global Knowledge CCIE Security #16674

Re: IDSM2 logging

MARS and IME both use the 'pull' event architecture to retrive events from IPS devices, and as already answered both can 'pull' events from the same IPS device simultaneously without any issues (except the performance lag). IME will store events in its MSDE database and MARS has its own oracle database (which can be archived using unix NFS). IME is limited to 10 sensors tough.

Regards

Farrukh

New Member

Re: IDSM2 logging

Ok, so do I understand correctly that there is no way to have IDSM send its logs out to a generic log server?  I undersatd SDEE and the "pulling" of events from IDSM.  Is there no way to have IDSM push?  Maybe via syslog rather than SDEE?

Re: IDSM2 logging

You are correct, the IPS does not support syslog reporting. You can enable SNMP traps on a per signature basis tough. But once has to be careful not to over whelm the IPS Cpu/memory resources in doing so.

Regards


Farrukh

931
Views
0
Helpful
4
Replies