Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPS 7.1 Event Analysis

Hi Folks,

Happy new year!

I'm trying to interface my IPS Event with an external log analyzer.

This exercise (Log Management) has become vital as my SLA required IPS Event (particularly those with risk rating above 85) be documented and reported <90mins on a day-to-day basis.

Anyone with ideas?



Everyone's tags (7)

IPS 7.1 Event Analysis

Daniel -

Your two most common options for getting event data off your sensors are:

1. Get/build/buy a SIEM that will pull the evetns via the SDEE protocol.

2. Edit the action of the signatures in question (>85% RR) to generate an SNMP trap for the event.

For real analysis you will also want to grab a PCAP of both sides of the attack (so you can tell if it was sucessful or a false positive).

- Bob

New Member

IPS 7.1 Event Analysis

Thanks Rhermes, nice one.

On your response, I have tried pulling events using Splunk- seems to be getting errors integrating splunk with the sensor; is there a way around this, or are there other SIEM (preferably open source) one can use to pull events via SDEE?



IPS 7.1 Event Analysis

I don't have any experience with Splunk and Cisco IPS, but there is a Wiki for it, so I assume other people have it working:

I would imagine all commercial SEM vendors should support Cisco's implementation of SDEE, I have experience with Trustwave (formerly Intelitactics) and Arcsight.

How many sensors are you attempting to monitor? The free Cisco IME can pull events from up to 5 sensors.

- Bob

New Member

IPS 7.1 Event Analysis

Hi rhermes,

I have since gotten Cisco IME 7.2.1. It pretty great working with this interface. Thanks!


CreatePlease login to create content