Does anyone have a process in place where cvtnrlog runs on a schedule on their CSPM box and creates a file that could be used for reporting purposes?
Ultimately, I'd like to generate reports from the cvtnrlog output with a third party reporting tool like Crystal Reports.
Any comments, thoughts, ideas are welcome. Thanks.
I haven't got an answer for you on how to schedule cvtnrlog to run on a schedule, but here are some things to consider once you've found out how to schedule it.
1) Becarefull of the Delete with the Event Viewer. When deleting an alarm you have the option to remove from the viewer or delete it from the database. If you delete from the database, I am not sure if is just marked for deletion or deleted immediately. If it is deleted immediately then cvtnrlog won't be able to pull it into a log file.
2) You may want to use the cvtnrlog feature to delete the alarms from the database after they pulled in order to keep from pulling duplicate alarms the next time. Depending on how often you run ctnvlog you could wind up in a situation where cvtnrlog pulls fresh alarms out of the database and deletes them before you have a chance to look at them in the Event Viewer.
Here is another possible scenario to consider.
Use the event viewer in CSPM on a daily basis to bew alarms and when deleting alarms go ahead and delete them from the database. This will help keep the database at a manageable size. Let the user delete the alarms from the database instead of relying on the cvtnrlog program.
Instead of getting the alarm logs from the ctnrlog program you can get them direct from the sensors themselves. The sensor appliances can be configured to periodically automatically ftp their log files to a central ftp server. Then you could load them from this central ftp site into your third party tool. You can even have the ftp server be the same machine that the 3rd party tool resides.
Generating Audit Event Log Files on a Managed Sensor Section in:
NOTE: This is supported for all sensor appliances (IDS-4210, IDS-4220, IDS-4230, NRS-xx)
But is not supported in V2.5 IDS Modules (WS-x6381-IDS). V3.0 and higher IDS Modules will support the ftping of log files, but CSPM 2.3.2i has a bug that prevents it from configuring it for the modules. Though I can help with workarounds if necessary for the modules.
I have a old problem. I want to copy the audit event log files from the Sensor to a FTP Server and I made the configurations steps properly, but the CSPM doesn't made any changes on the *.conf files on the Sensor and doesn't save the new configuration in the CSPM neither. A have a 2.2.1.x Sensor and CSPM 2.3.1i!
The next question is: How can I upgrade my 2.3.1i to 2.3.2i?On the web site I find only 2.3.2i patch. Thanks!
CSPM 2.3.2i upgrades are addressed in the 2.3.2i Release Notes which refer you to the upgrade instructions in the CSPM 2.3.1i Installation Guide.
Documents are located at this link:
Here is how I schedule and purge my database.
Using the scheduler from IE 5.5 and a few batch files I dump the database to a log file and purge the data daily.
Whenever I need to view archived data I simply use the event viewer and open a log file for the particular date.
cd D:\Program Files\Cisco Systems\Cisco Secure Policy Manager\bin
cvtnrlog -d > d:\idsbackup\logs\log-cspm%today%.log
fdate (makenenv and setenv)is a free utilty that creates a enviromental variable with the current date. I then take the variable and append it to the log file using &today%.
I am still working out one issue. My database directory is still growing daily.
deleting the alarms daily from the event veiwer is a chore. I have a IDS blade and using CSPM 2.3.3i
I have a .vbs file, that generate the "xyz.bat >log.yearmonthday " command and runs it. The xyz contains "cvtnrlog -d". I schedule it whit Sceduled Tasks on WintNT!