Cisco Support Community
Community Member

IDS 4.x - changes/upgrade questions

I just upgraded my 4210 from 3.x to 4.x; a couple of questions:

1.) I am running the Event Viewer from the same computer that I am trying to access the IDS via HTTPS. With the Event Viewer service running, I cannot seem to login via the web interface. It worked fine in 3.x this way; and it worked fine until I installed the 4.x viewer. I can access IDS via the web interface from other computers fine.

2.) Is there any way to add filtered signatures (i.e exclude a filter for a particular IP address)?

3.) Does 4.x have the ability to export event logs to an FTP site?

Thank you,

John Rather

Cisco Employee

Re: IDS 4.x - changes/upgrade questions

You should be able to connect to IDM from the same box where you are running IEV. THere is nothing in the software to prevent this, and would actually be considered the typical deployment when using IEV. So something is going wrong.

Can you verify that IEV is able to connect and receive alerts.

If IEV can not connect either, then it is either a sensor configuration issue (you machine's IP may not be allowed), or a network issue (maybe a firewall inbetween is blocking the traffic).

If IEV can connect but you can't from a web browser, then there are a few other possibilities (I don't think it is an issues of running IEV on the same machine but you never really know):

1) Are you connecting with "http://" or "https://"? The default is to use "https://".

2) Are you connecting to the correct port? Check which port IEV is connecting to and ensure you are connecting to the same port (port 443 by default but users can change it.

3) In a worst case you could try sniffing the network and try to see what is happening. I will typically login with the service account on the sensor. Then switch to user root. And run tcpdump on the command and control interface.

4) Have you tried to build your own RDEP client to connect to the sensor (or using another vendor's program to pull events from the sensor)?

Not many users have tried building their own RDEP client, but the few that have will sometimes run into a problem. The web server supports a limited number of connections. Ordinarily this is not an issue. But some users have coded their RDEP clients to re-authenticate each time it connects to the sensor, instead of re-using the existing connection. This causes all of the connections to be used up on the web server and prevents access to IDM.

If you don't have any luck trying to figure it out, then be prepared to call the TAC and provide a traffic dump from tcpdump for the engineers to analyze.

NOTE: You could even change from https to unencrypted http while you try to figure out what is happening. This way you can read the packets you capture with tcpdump.


For filters refer to:

NOTE: The Exception field makes the filter the equivelant of the RecordOfIncludedAddress from 3.x sensors. It allows alarms to be generated for those addresses.


As for exporting of event logs to an FTP site.

No the 4.x sensor does not support this functionality.

Instead you will either need to manually export them from IEV:

Or write your own RDEP client to pull the events directly from the sensor. (The RDEP specification is posted on CCO, but I don't remember the link).

The other alternative would be to switch to using VMS 2.2. SecMon is the tool used for pulling events from the sensor. You can schedule a SecMon script to periodically pull the events from the SecMon database and place them in a file.

If you have kept up to date with your sensor maintenance contract then you are able to order VMS 2.2 Basic. The VMS Basic is limited to managing 5 sensors, but is available at no extra charge for IDS users with maintenance contractson their sensors.

You can order your no additional cost VMS Basic CD through the Product Upgrade Tool on CCO:

CreatePlease to create content