Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Don´t see launch event viewer only one day is not displayed

Have had to many IP Localhost Source Spoof

ID: 1114 alarms since a week before. Yesterday I lost connectivity to internet service and today my IDS was unconnected from monitoring connections report.I wasn´t able to connect it until I reseted the unit. Before I performed a show statistics and show events directly from IDS and got "system error no appt processor"After resetting system I was able to connect it and tried to display all events I got yesterday with event viewer and don´t have any. Only have older events and today events (sinde I reestablished connection), but yesterday events which I need to discover what happened with my network yesterday are not available. Is there a way to recover them?What could had happened? Could my IDS been compromised yesterday with an attack? How could I know that?

Any suggestions, please advise.

1 REPLY
Cisco Employee

Re: Don´t see launch event viewer only one day is not displayed

Hoping that the sensing interface was up and seeing the right traffic, these records should be in the

/usr/nr/var/log. directory in case of 3.x sensors. There will be files with timestamps. Check for the day/time you are looking for.

In case of IDS 4.x sensors, execute the command "show events to query the locl eventstore for the alarms that you are looking for.

Thanks,

yatin

134
Views
3
Helpful
1
Replies
CreatePlease to create content