Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Event Viewer

Using Security Monitor 1.2,

If I have 10 sensors, how do I view LESS THAN 10 sensors on my event viewer? Can I just look at sensor "a"'s alarms with looking at b,c,d,e,f,g,h,i and j's alarms too?

If I am managing over 100 of these sensors how is the event viewer ever going to load if I cant filter?

6 REPLIES
Cisco Employee

Re: Event Viewer

Hi Eric,

I guess you are referring to the EV in the Security Monitor of the VMS bundle, because IDS Event Viewer is a Java-based application that enables you to view and manage alarms for up to five sensors only.

In that, you could create filters to show up the info that you require. If you are using the EV from Security Monitor, then the column are sortable by sensors and you will be able to view the alarms for a particular sensor only.

Hope that helps,

yatin

New Member

Re: Event Viewer

Yes, Im using the EV from the Security Monitor. How exactly do you sort the columns by sensor? I have not been able to figure out how. I have tried to set up filters for the EV but there was no option to filter out sensors, severity.

Cisco Employee

Re: Event Viewer

You can place the columns in any order you choose.

Simply grab the column header and move it to the left or right.

The first column is the Count column, and this column can not be moved, and is not used for sorting.

Any column can be moved into the second column. The events will then automatically be sorted according to this second column.

You can then move another column into the second column and the events will then be sub-sorted by this second column.

Here is an example of what I mean by sub-sorted.

If the Sensor Name were moved to the second column and the Alarm Severity were moved to the third column, then the alarms would first be grouped by sensor and then inside each sensor the alarms would be grouped according to the severity.

If you had 2 sensors then the alarms would be grouped by

sensor1 high severity alarms

sensor1 medium severity alarms

sensor1 low severity alarms

sensor1 information severity alarms

sensor2 high severity alarms

sensor2 medium severity alarms

sensor2 low severity alarms

sensor2 information severity alarms.

If a use is interested in alarms from only a single sensor then the user can move the sensor name or sensor id column all the way to the 2nd column. Then for each sensor he is not interested in he can collapse all of that sensor's alarms into a single line in the GUI.

The user can then expand just the line for the sensor of interest.

Or if the user is interested in only Low level alarms then move the severity column to the 2nd column. The high, medium, and information severity alarms can each be collapsed to a single line (one line for each severity).

And the user can then expand just the Low level alarms.

To learn more about moving the columns to change the sorting order, and to collapse and expand the cells refer to:

http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/mon_sec/secmon12/ug/ch04.htm

New Member

Re: Event Viewer

This is helpful, but you still wind up having to have the EvsServer load all of the other useless alarm data. What If I want to see a single sensors low alarms in the EV for a 24 period? By what you are telling me, I would have to load 24 hours of data for low, medium and high alarms and for all sensors, and then sort the columns to get the sort order right.

If I had a Cray as my MC, then I might be able to see these alarms within my lifetime.

Cisco Employee

Re: Event Viewer

Understood.

Good Request, but not currently supported.

I've heard talk about implementing these kinds of filters in a future version, but don't know if it is being implemented or not.

I would suggest contacting the TAC and ask that they open up a new DDTS Enhancement request for you.

NOTE: There may already be an enhancement request for this, in which you can ask the TAC to link your TAC Case Id to the existing DDTS Enhancement request.

The more cases linked to a specific request will increase the chances that the enhancement will be implemented in a future version.

Other workarounds to consider in the meantime.

If this is not your standard day to day usage, then have you considered using IEV for those once in a while times when you need to look at a filtered list of alarms?

IEV does have the fitler mechanism you are requesting.

With version 3.x sensors you would download the log files for that day from that one sensor.

Select the IEV option to view the alarms in a log file (since you are looking at a log file you don't even have to configure IEV to connect to the sensor)

In IEV I believe there is a filter so you can see just the Low level alarms, and I think that the filter may work with alarms read in from the log file.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids8/13877_01.htm#xtocid12

NOTE: I haven't tested this, but I believe it will work.

With version 4.x sensors you would add the sensor to IEV and specify a specific date for IEV to download the alarms.

Simply put in the start time you want (it will pull of the events since that time). Then use the filters in IEV to show only the Low level alarms.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids10/idmiev/swchap6.htm#604198

When you are done you can remove the sensor from IEV's list so it doens't keep pulling the alarms.

New Member

Re: Event Viewer

I have considered using just the IEV as a stand alone to view these alarms from another machine however I ran into a roadblock: After I configured the IEV to a particular sensor, it stopped reporting event store data to my MC. I had to literally delete and reinstall the sensor after I deleted the enire IEV program from the workstation. So, it wasnt a feasable workaround, although it had potential...

Thanks for the help.

81
Views
0
Helpful
6
Replies
CreatePlease to create content