We have many sensors on the network and would like to monitor health using applications like HP OpenView NNM or What's Up -Gold. I understand we can certainly setup ICMP discovery and regular ICMP echoes to find out if a Cisco IDS sensor (control interface) is up and running. If for some reason, it should go down or encounter some problems, would it be possible to set it up to send SNMP traps at all? If yes, how can we do that?
Sorry, I forgot to add - What about syslog? I noticed that we can get the CIDS application to generate syslog messages in the /etc/syslog.conf --> syslog messages from the file /usr/cids/idsRoot/log/syslogPipe
Can someone help me how to use the syslog feature?
Unfortunately the Cisco IDS does not currently offer SNMP support for monitoring the health of the sensor.
Also the syslogPipe you see is not for sending IDS messages to syslog, but is instead used for taking syslog messages and turning them into IDS messages.
There is currently no way to send syslogs off the sensor.
All communication to and from the sensor has to be through one of the following methods:
1) SSH or telnet to the CLI of the sensor (or to a bash shell with the service account)
NOTE: SSH connection to CLI is used by IDS MC
2) HTTP(S) connection to IDM
3) HTTP(S) connection to the RDEP services of the web server
NOTE: used by Security Monitor, IEV, Cisco Threat Response
NOTE2: These RDEP services are what the viewer tools use to pull the IDS messages from the sensor.
You do have the ability to create your own RDEP client [HTTP(s) based connection] to pull events from the IDS sensor. You can configure it to pull error and status events rather than alarms to check general health of the sensor. Aditionally you can send queries to determine status of the IDS processes.
The RDEP specification that explains the basics for connecting to the RDEP services of the web server can be found here:
The IDIOM specification that list the control transactions for querying for things like process status has not yet been posted. You will need to contact your Cisco Representative to request a draft copy of the IDIOM specification if you need it.
Mine developed a nasty habit of ceasing fire. It would just stop catching things, on its own, after a number of hours or signatures or what, I never did find out. Since I had already hacked into the MySQL database that keeps the signatures in IDS Event Viewer, all I do is poll the database to see if there have been signatures detected within the last 10 minutes. If not, I fire off a Perl Net::SSH script to reset the sensor. It's a workaround until I steal enough time to reinstall the sensor (Cisco's recommendation), but it's working for me now.
If you are referring to your RDEP client timing out after (approximately) 300 seconds, it's a timeout issue. You can always make SSL queries using your RDEP client and send a renewed query after 4 minutes or so while keeping a tab on the eventID. This way you can be sure you didn't miss any events.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :