With event viewer defaulted to showing medium alarms, is there a way to view low level alarms with their context buffer.
If you use the IDM tool directly to the sensor you can see ALL of the low alarms, but there is no filter option for severity or ip or anything.
Basically, I have a low level string match in place that I dont want to show up on the event viewer in normal operations. Id like to be able to view this alarm only in its context buffer, but not have to reset the whole event viewer to do it.
I assume you are talking about IEV and not SecMon (part of VMS).
My comments are geared toward IEV and may or may not apply to SecMon.
Basically the issue is whther you want Low levels events to be received by IEV and too only show up in the GUI at certain times, or if you never even want to the low level events to be sent to IEV inwhich case you would need to import the low level events as needed.
Under normal monitoring you would set the filter to exlcude the Low severity alarms, but if you ever need the information from a Low seveirty alarm you just need to change the filter to stop excluding the Low sev alarm. Once you are done with your analysis simply exclude the Low severity alarm again.
If however, you do NOT want to always send Low severity alarms to IEV then you will need to import the log file from the sensor where they are stored whenever you need to look at one.
Under normal monitoring you would set the filter to not see the Low severity alarms, but if you ever need the information from a Low severity alarm you just need to change the filter so you can see the Low sev alarm. Once you are done with your analysis simply filter the Low severity alarm again.
If however, you do NOT want to always send Low severity alarms to IEV then it is easiest to search for these through IDM.
Select a Start time and date just before when you expect the alarm to have been generated, and select a Stop time and date a minute or 2 after when you think the alarm should have been generated.
You should see all of the Low severity alarm in that period. If the alarm has context data the data will be represented in both a hex format and an ascii represented format.
NOTE: A similar search can be done with the "show events" command on the CLI.
NOTE2: This sort of query will only work as long as the alarm is still stored on the sensor. The sensor has limited storage for alarms and older alarms will be overwritten as newer alarms come in when the storage is full.
Actually, we are using Security Monitor, and thats where my problem lies. I have setting up IEV in addition to SecMon, but I ran into two issues:
1) IEV doesnt filter by signature. All I want to see is the context buffer for custom sig 20001 (String Match). There is no tool that I know of that will filter out all of the other low level alarms and just leave me with a specific signature and its context. SecMon has a report feature that will do it, but I dont get any context buffer there which renders that useless to me.
2) I had a lot of problems getting IEV and SecMon to work together. When I accessed a sensor with IEV, the sensor refused to send alarms to the SecMonEV even after I stopped all of the processes which run with IEV. In order to get my sensor back I had to delete it and get it to discover itself again. Sounds like a bug to me, but it might be a common issue.
--Using VMS 2.2
--IDS MC 1.2
--Security Monitor 1.2
--Using UNIX machine as "director" (Sunblade 2000)
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :