Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Not seeing sensor alerts on CSPM 2.3i

I have fully configured both the CSPM 2.3i and (2) CSIDS 4230s (2.5). The sensors are capturing traffic, all of the services are running, and communication is established with CSPM. I've configured my signatures but am getting no alerts when I should at least get some. I am getting the "Route Up" and "Route Down" messages, but that's all.

6 REPLIES
Community Member

Re: Not seeing sensor alerts on CSPM 2.3i

Have you checked to make sure the sensors are enabled for generating audit events? Click on the sensor under CSPM, go to the Logging tab, and make sure that "Generate audit event log files" is checked.

Community Member

Re: Not seeing sensor alerts on CSPM 2.3i

Also make sure that the right monitor interface is specified for the sensor. 4230=/dev/spwr0 and 4210=/dev/iprb0. I had this problem....I thought that the 4210 and the 4230 used the same interface names.

Community Member

Re: Not seeing sensor alerts on CSPM 2.3i

The correct interface is selected and "generate audit" is checked... I'm stumped!

Community Member

Re: Not seeing sensor alerts on CSPM 2.3i

Try to upgrade to the last version (either the CSPM and the IDS sotware). I had the same problem, and after upgrade it works fine.

Community Member

Re: Not seeing sensor alerts on CSPM 2.3i

I had this same problem with a new 4210 install and CSPM 2.3i, and had to log back into the sensor as root, exit out and let all daemons start again, generate the command set through CSPM doing the save and update, and approve command set again 2 or 3 times and finally they show up. This had to be done only one time. Now, when ever the sensor or CSPM is restarted, it continues. I also checked whether the postoffice service was started. Also, make sure the ports are not being filtered out on the machine.

Community Member

Re: Not seeing sensor alerts on CSPM 2.3i

If you are connecting the sniffing interface into a switch you will need to mirror whatever ports you want to be monitored on the switch. Keep in mind that if you mirror too many ports on the switch, you might run the chance to overload the CPU on the switch.

116
Views
0
Helpful
6
Replies
CreatePlease to create content