Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

IDS logs to SQL.... how?

We are wanting to save our logs to a MSSql db either directly from the ids machines or by export from cspm or idsmc....

I have searched through the archives and have tried -

http://www.cisco.com/univercd/cc/td/doc/product/ismg/policy/ver23i/idsguide/ch11.htm#xtocid121082

which teases but doesn't tell how.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids5/csidscog/rdbms.htm#18460

vaguely refers to modifying the ids files to make a sql schema but doesn't say how.

Exporting from IDSMC is impossible since that db's password is unknowable and I think so is CSPM. Any suggestions? If there is a sql schema for use on the IDSs, please let me know.

9 REPLIES
New Member

Re: IDS logs to SQL.... how?

I think IEV is working on MySQL.... but IEV is limited to 3 sensors. So if you are under this limit. Download IEV. It will create a MySQL db that you can attack by an other way.

Hope this help

New Member

Re: IDS logs to SQL.... how?

Unfortunately, we have more than 3 sensors so that isn't an option.

New Member

Re: IDS logs to SQL.... how?

I've got several questions:

1° How many devices are in production ?

2° Why do you need access on the Db ?

New Member

Re: IDS logs to SQL.... how?

1 - several, more than 10

2 - to run our own reports using the data

New Member

Re: IDS logs to SQL.... how?

Well several choices:

1) you use IDS-MDC. They have a Sybase DB. By configuring ODBC you should get access to the DB. Password should be asked to the TAC ?

2) you can use CSPM. You use 'CvtNrlog' that export the DB to a CSV file then you import it into you SQL db. This process can be automated trough scripting.

3) You use Unix Director (should be replaced by IDS-MDC on Unix ???). Read this: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids7/unix_cfg/dmp.htm

and also this

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids7/unix_cfg/rdbms.htm

Hope this help

New Member

Re: IDS logs to SQL.... how?

thanks for the replies, everyone, i'm slowly getting somewhere on this.

a few comments:

1) cisco is loathe to give up the sybase password and it cannot be recovered so that is a dead end, though it would be the best solution since cspm is going away anhow.

2) i can't believe i havn't seen this yet, after all the searching i've done! it looks very promising.

3) we arn't using director

i had already started work on a perl script that would parse the logfiles and send them to mssql but i can do a very similar thing using cvtnrlog and an import daily. the problem with cvtnrlog is cspm isn't a supported product anymore and all future releases are going to be for ids-mc (which is a bear to work with so far). maybe i'll just stick to using the ftp'd logs since they are platform independent and its hard to justify keeping cspm AND ids-mc at the same time.

New Member

Re: IDS logs to SQL.... how?

I'm still waiting for IDS monitoring center so i haven't tried this solution but look at this

http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000_b/vpnman/vms_2_1/secmon/user_gd/appa.htm#217

As far as i understand this chapter.... the command IdsPruning is similar to cvtNrlog. The archive file is a CSV so again it can be imported inside a MySQL DB where you can run your own queries.

regards

New Member

Re: IDS logs to SQL.... how?

Is it possible to run queries & form executive reports on this MySQL on IEV?

New Member

Re: IDS logs to SQL.... how?

I'm not an SQL expert,

but once you have an access to the SQL database, you can run queries and create reports trough perl.

109
Views
0
Helpful
9
Replies
CreatePlease to create content