Downloading events from the IDS42XX appliance+ deleting it
I'm very new to Cisco IDS 42XX appliances, so please bear with my somewhat newbie questions.. anyway I would like to know how i can automatically download the events from an IDS 42XX appliance every night, save it onto an external server, and delete the events from the 42XX appliance. I'm having the problems where the events just grow to over 100,000 (we are in the midst of tuning it!), at which point the IDS MC (v1.1) will just complain that the number of events is >100,000 .. Please advise!
Re: Downloading events from the IDS42XX appliance+ deleting it
The IDS 4 sensors use an event store that is a giant circular queue. Events are only deleted when the queue "wraps around" and overwrites the old information. Typically, this takes days or weeks.
The external applications that monitor IDS events will generally maintain continuous communication with the sensor. If they become disconnected, they will resume where they left off as long as they reconnect before the events wrap around.
The "complaint" that you are seeing from IDS MC is curious. I've witnessed MC monitoring millions of events, and it works fine. Perhaps some of the members of this forum more familiar with MC configuration can help you with this problem.
If you want to develop your own event monitoring application, you should read the RDEP specification at:
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...