IDS logs to SQL.... how?

zheeter · ‎11-26-2002

We are wanting to save our logs to a MSSql db either directly from the ids machines or by export from cspm or idsmc....

I have searched through the archives and have tried -

http://www.cisco.com/univercd/cc/td/doc/product/ismg/policy/ver23i/idsguide/ch11.htm#xtocid121082

which teases but doesn't tell how.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids5/csidscog/rdbms.htm#18460

vaguely refers to modifying the ids files to make a sql schema but doesn't say how.

Exporting from IDSMC is impossible since that db's password is unknowable and I think so is CSPM. Any suggestions? If there is a sql schema for use on the IDSs, please let me know.

duchesne_ced · ‎11-27-2002

I think IEV is working on MySQL.... but IEV is limited to 3 sensors. So if you are under this limit. Download IEV. It will create a MySQL db that you can attack by an other way.

Hope this help

zheeter · ‎11-27-2002

Unfortunately, we have more than 3 sensors so that isn't an option.

duchesne_ced · ‎11-28-2002

I've got several questions:

1° How many devices are in production ?

2° Why do you need access on the Db ?

zheeter · ‎12-02-2002

1 - several, more than 10

2 - to run our own reports using the data

duchesne_ced · ‎12-03-2002

Well several choices:

1) you use IDS-MDC. They have a Sybase DB. By configuring ODBC you should get access to the DB. Password should be asked to the TAC ?

2) you can use CSPM. You use 'CvtNrlog' that export the DB to a CSV file then you import it into you SQL db. This process can be automated trough scripting.

3) You use Unix Director (should be replaced by IDS-MDC on Unix ???). Read this: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids7/unix_cfg/dmp.htm

and also this

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids7/unix_cfg/rdbms.htm

Hope this help

zheeter · ‎12-03-2002

thanks for the replies, everyone, i'm slowly getting somewhere on this.

a few comments:

1) cisco is loathe to give up the sybase password and it cannot be recovered so that is a dead end, though it would be the best solution since cspm is going away anhow.

2) i can't believe i havn't seen this yet, after all the searching i've done! it looks very promising.

3) we arn't using director

i had already started work on a perl script that would parse the logfiles and send them to mssql but i can do a very similar thing using cvtnrlog and an import daily. the problem with cvtnrlog is cspm isn't a supported product anymore and all future releases are going to be for ids-mc (which is a bear to work with so far). maybe i'll just stick to using the ftp'd logs since they are platform independent and its hard to justify keeping cspm AND ids-mc at the same time.

duchesne_ced · ‎12-04-2002

I'm still waiting for IDS monitoring center so i haven't tried this solution but look at this

http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000_b/vpnman/vms_2_1/secmon/user_gd/appa.htm#217

As far as i understand this chapter.... the command IdsPruning is similar to cvtNrlog. The archive file is a CSV so again it can be imported inside a MySQL DB where you can run your own queries.

regards

muharrem · ‎11-28-2002

Is it possible to run queries & form executive reports on this MySQL on IEV?

duchesne_ced · ‎11-29-2002

I'm not an SQL expert,

but once you have an access to the SQL database, you can run queries and create reports trough perl.