I have recently installed Cisco IME so as to analyze the IPS Events .The issue is that the events are not coming on IME at all. When i see from the sensor itself (via "show events alert past 00:10 command ) there are huge no. of events coming on the console itself but not on IME . Earlier they use to come perfectly. Also there is no issue with the COMMUNICATION from IME Server to the Sensor (Telnet on 443 is happening )
Please help me out in this regard
There is no single IME which is giving issue , it is happening with our 2 /3 customers having IPS . Some of them are having
1) IPS - 4240 , Version 5.1(5)E1
2) ASA IPS 6.0(2)E1 ASA-SSM-10
Please help me in this regard
In the Devices >> Device List >> Sensor Name
Under "Event Status", do you see "Connected" or "Not Connected"?
Did you try to right click on the Sensor(s) and do:
Starts >> Events Connection
Please note health monitoring and most other features are only supported for Version 6.1.x and not the versions you mentioned.
I have verified and the status for all the IME is connected . The Start -> Event conenction is not highlighted and is blurred . Please tell me how to proceed
Btw, I faced a similar issue with Four IDSM-2 of one of our customers, they were not showing any events yesterday. Today I came and opened IME and the events started coming. I changed nothing for sure.
You may have a look at Tools >> IME Console Window and see if you are getting any specific errors
i have seen and observed that events come on the IME and suddenly one day it will stop coming and are stopped till next few days , and again it starts coming .When the events donto come those days i have observed that the events do come on the sensor itself
This kind of trend clearly says that it may happen due to database issue .Please let me know till what time the database will store events .Is there any probability that the events coming on the sensor do not reach the IME Machine (conside 443 port is opened and the sensor is showing as connected)
Had a similar issue. Took a look at the client-log file in the Program Files\Cisco Systems\Cisco IPS Manager Express\log folder. The last entries had an error about a crashed table. Repaired the mysql table from the command line amd restarted IME. I can now see events in IME.
Quick way to do this.
Open up a command prompt on Windows
Change directory to the Cisco IME folder. (in my case, this was C:\Program Files\Cisco Systems\Cisco IPS Manager Express>)
Type the following commands:
more my.ini (look for the port value, in my case it was 47007)
cd MYSQL\bin (takes you to the directory containing the mysql executable)
mysqlcheck.exe -P 47007 --auto-repair alarmDB
You can change 47007 to whatever value you came up with in the my.ini file. The alarmDB dtabase is where Cisco IME stores it's data. The last command will run a check on all the tables in the database. If you know the particular table that's having issues, you can use :
mysqlcheck.exe -P 47007 --auto-repair alarmDB tablename
mysqlcheck.exe -P 47007 --auto-repair alarmDB event_table_1
Thanks for posting a great response. I rate it a "5" for all of us who might have to troubleshoot this in the future. It's always nice to know what to look for instead of simply making an educated guess.
I found the response about refreshing the SQL database table valuable, but it didn't fix my problem. In my case it was an expired certificate. To fix this I issued the "tls generate-key" command from the IPS command prompt, then in IME select the sensor from "Home" then "Edit" and click "Ok" without any changes. It will prompt you to accept the new certificate and the Events Connection started working normally ever since.
Hope this helps.
I am doing exactly what is described and I get a next error :
mysqlcheck.exe: Got error: 1045: Access denied for user 'ODBC'@'localhost' (usin g password: NO) when trying to connect
Event status still Not connected! Please help with this issue.
I am also facing the same error:
1.mysqlcheck.exe: Got error: 1045: Access denied for user 'ODBC'@'localhost' (usin g password: NO) when trying to connect
2.I am able to see only real time events but not able to view any past logs on IME (IPS Manager Express)? what are possible cause? I am able to see the events in IDM
We are using ASA-SSM-10 module, Engine version 7.0(5)E4
Steps taken to resolve this issue:
I have deleted and re-added the devices
Restarted the services Steps taken to resolve this issue:
I have deleted and re-added the devices
Restarted the services
Kindly help on this issue.