Re: Monitoring health of Cisco IDS sensors

msmitha · ‎07-14-2003

We have many sensors on the network and would like to monitor health using applications like HP OpenView NNM or What's Up -Gold. I understand we can certainly setup ICMP discovery and regular ICMP echoes to find out if a Cisco IDS sensor (control interface) is up and running. If for some reason, it should go down or encounter some problems, would it be possible to set it up to send SNMP traps at all? If yes, how can we do that?

msmitha · ‎07-14-2003

Sorry, I forgot to add - What about syslog? I noticed that we can get the CIDS application to generate syslog messages in the /etc/syslog.conf --> syslog messages from the file /usr/cids/idsRoot/log/syslogPipe

Can someone help me how to use the syslog feature?

marcabal · ‎07-16-2003

Unfortunately the Cisco IDS does not currently offer SNMP support for monitoring the health of the sensor.

Also the syslogPipe you see is not for sending IDS messages to syslog, but is instead used for taking syslog messages and turning them into IDS messages.

There is currently no way to send syslogs off the sensor.

All communication to and from the sensor has to be through one of the following methods:

1) SSH or telnet to the CLI of the sensor (or to a bash shell with the service account)

NOTE: SSH connection to CLI is used by IDS MC

2) HTTP(S) connection to IDM

3) HTTP(S) connection to the RDEP services of the web server

NOTE: used by Security Monitor, IEV, Cisco Threat Response

NOTE2: These RDEP services are what the viewer tools use to pull the IDS messages from the sensor.

You do have the ability to create your own RDEP client [HTTP(s) based connection] to pull events from the IDS sensor. You can configure it to pull error and status events rather than alarms to check general health of the sensor. Aditionally you can send queries to determine status of the IDS processes.

The RDEP specification that explains the basics for connecting to the RDEP services of the web server can be found here:

http://www.cisco.com/cgi-bin/dev_support/access_level/product_support?pcgi=1&product=IDS_INT_API

The IDIOM specification that list the control transactions for querying for things like process status has not yet been posted. You will need to contact your Cisco Representative to request a draft copy of the IDIOM specification if you need it.

bobgerman · ‎08-01-2003

Mine developed a nasty habit of ceasing fire. It would just stop catching things, on its own, after a number of hours or signatures or what, I never did find out. Since I had already hacked into the MySQL database that keeps the signatures in IDS Event Viewer, all I do is poll the database to see if there have been signatures detected within the last 10 minutes. If not, I fire off a Perl Net::SSH script to reset the sensor. It's a workaround until I steal enough time to reinstall the sensor (Cisco's recommendation), but it's working for me now.

msmitha · ‎08-04-2003

If you are referring to your RDEP client timing out after (approximately) 300 seconds, it's a timeout issue. You can always make SSL queries using your RDEP client and send a renewed query after 4 minutes or so while keeping a tab on the eventID. This way you can be sure you didn't miss any events.