Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

IDS MC and forwarding to another PostOffice

Using CSPM 2.3.3i, it was of course possible to forward all alerts received by CSPM to another PostOffice listener.

It does not appear possible using IDS MC and Security Monitor.

I briefly looked at Event Rules and Database Rules, but that doesn't appear to be the way to it, at least elegantly.

I'm about to edit the postoffice/etc/destinations and postoffice/etc/routes files manually; but wanted to ask here before I do that.

3 REPLIES
New Member

Re: IDS MC and forwarding to another PostOffice

Hi,

You may want to try another way. I have my IDSM blades reporting to two different locations(The IDS MC and another device that listens for PostOffice). To do that, select the device. Under TOC for that device, select remote host and add a second host.

Thanks,

William

New Member

Re: IDS MC and forwarding to another PostOffice

Thanks for the reply.

I should have mentioned that I had considered that. I run 25+ probes, and the destination, other than IDS MC, that I want all alerts to go to is a system located behind two firewalls; would require lots of rules.

Anyway, looks like I'll just be manually editing the postoffice configuration files; routes, hosts, smid, destinations etc.

Cisco Employee

Re: IDS MC and forwarding to another PostOffice

That method probably will not work.

Editing the routes and hosts files may setup the communication channel, but it is smid that actually forwards the alarms.

The routes and hosts files also get dynamically modified when sensors are added or removed by Security Monitor.

Smid in CSPM and the Unix Director both support the forwarding of alarms to other boxes. The smid used in Security Monitor, however, is not the same smid used in CSPM. In fact Security Monitor's own processes replace the older traditional smid in order to boost performance, and so will ignore any changes you might make to smid.conf.

The forwarding of alarms by Security Monitor is on the list of requests for future versions.

In CSPM and Unix Director the multi-tier system was more necessary because each GUI could really only support one local user. So a remote user needed forwarded copies of the alarms.

With the Security Monitor, however, there is now multi-user support. If the users at the higher tier system needed to view alarms on Security Monitor then you can simply allow an incoming web connnection (configure the firewalls to allow it) from the ip addresses of the users on the higher tier to access the Security Monitor and even the IDS Management Center of the lower tier. You can even give the higher tier users their own usernames/passwords and can restrict their access if necessary, and the connection can be encrypted with SSL.

83
Views
0
Helpful
3
Replies
CreatePlease to create content