Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

CSIDS 3.1-3-S31 problems. Pls help.

I have an IDS-4210 running 3.1-3-S31 in a test setup. I'm using the web-based IDM and IEV so there is no central IDS manager. I've run into a couple of problems here:

1. In the Event destinations, I have an entry for the sensor itself forwarding all events to the loggerd service. I can see traffic when I snoop on the iprb0 but when I "tail -f /usr/nr/var/log.*" I don't see anything. nrstatus shows all the daemons running and owned by netrangr. However, I do see that packetd restarts sometimes and there are a few events logged into the log.timestamp file but it's not consistent.

2. I want to be able to get email notifications and since I don't have a central mgr, I have configured eventd on the sensor. I have made sure that there is an entry in the destinations file for the service eventd ; nrstatus shows nr.eventd running ; /usr/nr/bin/eventd/event.conf and /usr/nr/etc/eventd.conf are configured too. I don't get any email and sendmail is configured right.

Any help, pls.

2 REPLIES
Silver

Re: CSIDS 3.1-3-S31 problems. Pls help.

Cisco Employee

Re: CSIDS 3.1-3-S31 problems. Pls help.

1. In the Event destinations, I have an entry for the sensor itself forwarding all events to the loggerd service. I can see traffic when I snoop on the iprb0 but when I "tail -f /usr/nr/var/log.*" I don't see anything.

*** The log file in version 3.x is now a memmory mapped file. "tail -f" does not work with memmory mapped files. Loggerd automatically opens the log file up to the max log file size filling it with NULL characters and then starts back at the beginning writing in the alarms. "tail -f" automatically goes to the bottom of the file and waits for new input. In older sensors the new alarms were added to the file and seen by "tail -f", but in version 3 the "tail -f" goes to the end of the file full of NULLS while Loggerd is writing the alarms into the middle of the file.

nrstatus shows all the daemons running and owned by netrangr. However, I do see that packetd restarts sometimes and there are a few events logged into the log.timestamp file but it's not consistent.

2. I want to be able to get email notifications and since I don't have a central mgr, I have configured eventd on the sensor. I have made sure that there is an entry in the destinations file for the service eventd ; nrstatus shows nr.eventd running ; /usr/nr/bin/eventd/event.conf and /usr/nr/etc/eventd.conf are configured too. I don't get any email and sendmail is configured right.

*** eventd running on the sensor is not supported and I have heard of users experiencing problems with this.

So email notification is not supported with IDM and IEV. Email notification is only supported with VMS (IDS MC and Security Monitor).

What can you do??

Loggerd should have a configuration for the maximum age of a log file (can't remember the token name). Configure this to be a shorter period of time.

IDM then allows you to configure automatic ftp'ing of log files off the sensor to your own ftp server:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids8/13876_01.htm#xtocid46

Every time a log file is closed the system will automatically ftp the log file to your server.

Then create your own script on your ftp server.

It will scan the log files that the sensor pushes down, and then send an email for which ever alarms you are interested in.

It is not an immediate email when the alarm is seen, but if you configure the maximum log file age to be 10 minutes then you might only have a 10 minute lag in having the email sent.

93
Views
0
Helpful
2
Replies
CreatePlease to create content