Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Alarms showing up in IDM log but not in IEV

I have seen alarms in the IDS event logs that have not been received by the IEV. There is no filter on the IEV.

Thanks in advance,

Maged

1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

Re: Alarms showing up in IDM log but not in IEV

I think I may have an answer...

Perhaps it has something to do with the Information "Level" set for the alarm data to be passed to the host running IEV?

Under the "Configuration>Communications>Remote Hosts>Event Destinations" in IDM, edit the remote host and check the Information "Level" that is set.

There are four levels available: "Information", "Low", "Medium" and "High". These map to the Alarm Severity Levels: 1 and 2 are "Information"; 3 is "Low"; 4 is "Medium; and, 5 is High.

As I understand it, the IEV will only receive alarms that are equal to (or higher) the the "Level" set in IDM. In other words, if you're set-up to accept "Medium", then IEV will only see level 4 and 5 alarms. Since many alarms in the NSDB are level 3, it stands to reason that you'd see them in the IDM logs but, thanks to a Information "Level" setting of "Medium", you won't see them reflected in IEV.

Let me know if this solves your mystery.

Alex Arndt, GCIA

4 REPLIES
New Member

Re: Alarms showing up in IDM log but not in IEV

Have you added that sensor into IEV's device list? If so, please make sure the postoffice settings in IEV and sensor exactly match. Besides, three services: CSIDS DataFeed, Cisco IDS Event Viewer, and MySQL should be running. You can check that by opening Windows' Service Panel. If those services are not running, IEV won't be able to get alarms from sensor and store them into database.

Jie

New Member

Re: Alarms showing up in IDM log but not in IEV

I am getting alarms in the IEV, but not all that are in the IDM logs. Thanks,

Bronze

Re: Alarms showing up in IDM log but not in IEV

I think I may have an answer...

Perhaps it has something to do with the Information "Level" set for the alarm data to be passed to the host running IEV?

Under the "Configuration>Communications>Remote Hosts>Event Destinations" in IDM, edit the remote host and check the Information "Level" that is set.

There are four levels available: "Information", "Low", "Medium" and "High". These map to the Alarm Severity Levels: 1 and 2 are "Information"; 3 is "Low"; 4 is "Medium; and, 5 is High.

As I understand it, the IEV will only receive alarms that are equal to (or higher) the the "Level" set in IDM. In other words, if you're set-up to accept "Medium", then IEV will only see level 4 and 5 alarms. Since many alarms in the NSDB are level 3, it stands to reason that you'd see them in the IDM logs but, thanks to a Information "Level" setting of "Medium", you won't see them reflected in IEV.

Let me know if this solves your mystery.

Alex Arndt, GCIA

New Member

Re: Alarms showing up in IDM log but not in IEV

Thanks that was the issue!

110
Views
0
Helpful
4
Replies
CreatePlease to create content