Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
352
Views
0
Helpful
4
Replies

Importing and exporting SM events

alll
Level 1
Level 1

‎03-11-2004 12:54 PM - edited ‎03-09-2019 06:43 AM

I'm looking for recommendations on the best way to archive(export) my events from Security Monitor for at least 4 weeks and if asked...import the event log into SM for research. All of my sensors are at the 4.x version. Is that even possible???

Labels:
0 Helpful
4 Replies 4

marcabal
Cisco Employee
Cisco Employee

‎03-11-2004 02:16 PM

Read through this section of the user's guide and the sections following it:

http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/mon_sec/secmon12/ug/ch07.htm#130939

You will see that you have 2 options for saving off version 4.x alarms from Security Monitor.

You can use IdsAlarms.exe to export the alarms in IDIOM format (native 4.x format) and then use additional options to delete and purge the alarms from the database.

Then use IdsImportIdiom to re-import the alarms.

The IDIOM format is nice to have when you will be loading the alarms into other management boxes. Because the alarms will be in standard 4.x IDIOM format the other management box won't have to understand specific formats for Security Monitor.

The other option is to archive that alarms in a format specific to Security Monitor (a comma delimited format that can archive the IDS alarms as well as the other data collected by Security Monitor)

You would use the IdsPruning utility to export the alarms and prune them from the database.

And then use the IdsImportArchivedData utility for re-importing them into security monitor.

Since they are in a security monitor format this works fine and reduces space when they will only be imported back into security monitor. But if you will be importing them to other types of management stations (or your own database) then I recommend using the IdsAlarm.exe with the IDIOM format.

0 Helpful

alll
Level 1
Level 1
In response to marcabal

‎03-11-2004 03:31 PM

I turned off the IDS_receiver process and I ran the command idsimportidiom -f"test.txt" and it continues to say the IDS_receiver process is still running. Am I missing something???

0 Helpful

alll
Level 1
Level 1
In response to alll

‎03-11-2004 04:03 PM

New question...I added -d and it seemed to go through, but now I receive this:

IDS Import Idiom Parsing Error

XML Parser Not Well Formed (invalid token)

HELP!!!

0 Helpful

marcabal
Cisco Employee
Cisco Employee
In response to alll

‎03-11-2004 04:14 PM

You have gone passed my area of expertise.

I've sent a request to the VMS team for assistance but it may be a day or more to get a response.

If anyone else on the forum has experience here then please respond.

Your other option is to contact the TAC for assistance. They have a more direct line to the developers and may get you some assistance sooner than I can.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents