Beginner Question: IDS Reports Exporting - Can it be done?

sconley · ‎01-22-2002

I have been placed in a position to start learning the security side of things and am beginning to dig into our CSPM system (host for 4210 and 4230 sensors.)

I looked through the reports but cannot see any method of having the report create a tab (or anything) delimited output. I really need to be able to take the report and create graphs of the changes, new entries, trends, etc. but cannot see any way of doing so.

Is there an ODBC-type method of linking to the database? I would like to bring the data to an Excel file (or Access or Crystal Reports or ....) to have some way to sort the data to be able to present reports to the customer.

I looked through here as best I could and through the comp.dcom.sys.cisco newsgroup but did not see anything to help.

Thanks for any assistance you can offer!

Henry Schupp

Integrated Data Systems, Inc

chstone · ‎01-23-2002

Probably the best way to do this would to be read the log information in its native format, which is comma delimited.

Here are 2 methods that you may want to consider.

Using the CSPM server you can go to "$Base/Cisco Secure Policy Manager/bin". From here you can run the command "cvtnrlog". From this directory run "cvtnrlog /?" and this will list the options available to you. I would suggest something similar to "cvtnrlog -a>mylogfile.txt". This will import all of the database events to this log file, which you can then take and use Excel or similar spreadsheet to import the data into.

Another option would be to ftp the log files from the sensor and manipulate the information in the same format. On your sensor, if you look in "/usr/nr/var", you will find a file called "log.200201****". In other words, a time stamped log file. This file is the same format as the CSPM imported, and can be read in the same manner.

chris

jballay · ‎01-23-2002

chris,

what version of CSPM and what sensor version do you have to have running to accomplish what you mention in your response? thanks.

jeff

hschupp · ‎01-23-2002

Chris -

Excellent. I will check it out tomorrow. If anyone wants a report on the results I will be happy to provide such.

My supervisor asked me over a week ago to create a report for the customer that emulated another I provide from a RealSecure system ... I have been pulling hair trying to get this figured. Am barely competent with Unix so didn't know for sure where to try and find the database on the sensors. This answer provides me with exactly what I needed. Thanks again!

Hank Schupp

m.hossein · ‎01-24-2002

Thanx Chris for your detailed info. but I want to ask about IF I HAVE Director On solaris to manage my IDS system and I am not using Windows management server. Is there a similar way to manage your IDS reports as you did on the CSPM server????

Please Advice

Thanx

Magdy

rshariff · ‎01-30-2002

Chris,

Thanks for elaborte explanation.

I use Solaris/Hp Openview/Director platform.

Is similar reporting possible.

Regards

pbobby · ‎01-31-2002

Using a database?

If so, then real easy to export the tables by date into a delimited file.

If not, (you should be), then it's more manual. But again, the log.* files on your director contain the same information as the ones on CSPM. They are command delimited for you already so you'll just import them into excel. Or import them into an Access database and do some queries against them that way.