Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Howto: Send events from one CSPM to another

I have a CSPM that handles all my sensors, policies etc. I have another 2.3.3.i CSPM that I would like just to receive events from the first CSPM... nothing more.

Not quite sure how to set this up.

I've added my 2nd cspm as a node in the first cspm's topology. I've configured it much the same way as I would configure a netForensics node, Intellitactics node, etc... so that it receives postoffice traffic.

Not sure how to configure the 2nd cspm to receive data.

Does the 2nd cspm have to have the topology of the first? I don't think so.

1 REPLY
Cisco Employee

Re: Howto: Send events from one CSPM to another

You're better off having the sensor send the alarms to the two CSPM servers. Here's a message on how to do this from a previous thread on this subject:

-------------------------------------

CSPM does not currently support a primary/backup type model.

What it does support is having one CSPM for configuration and alarm viewing, and using a second CSPM as a secondary destination only for alarm viewing.

For this example I will use 2 CSPM machines: CSPMA and CSPMB.

CSPMA is configured like a normal CSPM for configuring and receiving alarms from the sensors. CSPMA would be where all of your configuration takes place on a normal daily basis.

Within CSPMA you would configure each sensor to also send it's alarms to a secondary destination CSPMB. This is in the Advanced->Additional Destinations Tab.

On CSPMB you would add a machine for each sensor. But instead of adding them as sensors, you would just add them as postoffice hosts. This way the sensors will be communicating with and sending alarms to CSPMB, but CSPMB won't be able to configure them.

Refer to the following link about adding Postoffice hosts.

http://www.cisco.com/univercd/cc/td/doc/product/ismg/policy/ver23i/idsguide/ch04.htm#xtocid2665211

Alternatively you could also add the sensors in as real sensors, but when adding the sensor do not select the check boxes that verify the sensor information. CSPMB won't have the permissions necessary to verify the sensor informaiton. If you do this you will have to remember that CSPMB should NEVER be used for configuration changes in this state.

The end result is that the sensor is configured ONLY by CSPMA, but is sending alarms to both CSPMA and CSPMB. As long as CSPMA continues operating, the alarms in CSPMB should be deleted on a daily basis to keep it's alarm database from filling up with old alarms.

So what happens if CSPMA goes down:

Option1) If you have IDS Appliances, and are running 3.1(2)S23 or later, then you can manage the IDS Sensors using the IDM web based client until CSPMA comes back on line. Then the changes made through IDM will have to be manually redone within CSPMA. Personally I would suggest using this option, even though it makes you keep track of what changes you make through IDM so you can incorporate them back into CSPMA.

NOTE: During this time CSPMB would be used for alarm viewing.

Option2) If you want to use CSPMB for configuration, then delete the current Postoffice Host for the sensor within CSPMB. Go to the sensor and manually edit the etc/auths file to add all authority for CSPMB, and restart the sensor. Now add the sensor to CSPMB and select both check boxes. CSPMB will now have permission to pull the latest information from the sensor. If you dont' remove the sensor and re-add it, then CSPMB won't know all of the configuration changes that had previously been made by CSPMA. You would have to do this for each sensor. When CSPMA comes back on line, you will have to reconfigure each sensor to give CSPMA authority. And then delete and re-add them to CSPMA to get all of the changes that CSPMB had made.

This option can be very time consuming if you have multiple sensors.

-------------------------------------

Hope this helps.

85
Views
0
Helpful
1
Replies