Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started.

wkw
New Member

Downloading events from the IDS42XX appliance+ deleting it

Hi,

I'm very new to Cisco IDS 42XX appliances, so please bear with my somewhat newbie questions.. anyway I would like to know how i can automatically download the events from an IDS 42XX appliance every night, save it onto an external server, and delete the events from the 42XX appliance. I'm having the problems where the events just grow to over 100,000 (we are in the midst of tuning it!), at which point the IDS MC (v1.1) will just complain that the number of events is >100,000 .. Please advise!

thanks..

  • Other Security Subjects
3 REPLIES
New Member

Re: Downloading events from the IDS42XX appliance+ deleting it

The IDS 4 sensors use an event store that is a giant circular queue. Events are only deleted when the queue "wraps around" and overwrites the old information. Typically, this takes days or weeks.

The external applications that monitor IDS events will generally maintain continuous communication with the sensor. If they become disconnected, they will resume where they left off as long as they reconnect before the events wrap around.

The "complaint" that you are seeing from IDS MC is curious. I've witnessed MC monitoring millions of events, and it works fine. Perhaps some of the members of this forum more familiar with MC configuration can help you with this problem.

If you want to develop your own event monitoring application, you should read the RDEP specification at:

http://www.cisco.com/cgi-bin/dev_support/access_level/product_support?pcgi=1&product=IDS_INT_API

Look for the link near the bottom of the page "Cisco IDS RDEP API v1.0".

Cisco Employee

Re: Downloading events from the IDS42XX appliance+ deleting it

I think the error you are seeing is not an issue with the sensor but an issue with Security Monitor complaining that there are too many events in the Security Monitor database.

You can use the IdsPruning utility in Security Monitor to manage the events in the Security Monitor database:

http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/mon_sec/secmon12/ug/ch07.htm#1255

New Member

Re: Downloading events from the IDS42XX appliance+ deleting it

marcabal,

That is one of the most usefull links I have seen around here in quite a while!

Thanks,

You just saved me hours and hours of work!

-Brian

85
Views
5
Helpful
3
Replies