Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Reseting events in IDS 4210 v4.0

Can you please tell me how you can delete (specific or all) events from the events database of IDS. Note that the event viewer is not installed yet.

Thank you

Nikolas

2 REPLIES
Cisco Employee

Re: Reseting events in IDS 4210 v4.0

Hi Nicholas,

If I understood your above situation, you do not have any kind of EventViewer software ( like IDM/IEV or the VMS Security Monitor) installed and configured yet to receive the sensor events into the database. If that is true, it means that you are probably looking for deleting the events from the Sensor itself, right?

Well, the events are stored in the event store on the sensor. This is a large rotating buffer for event storage. The Event Store file is a 4 GB, fixed-size file.

Until the IEV or the Security Monitor pulls these events, they will stay on the sensor upto 4GB limit. The Event Store file’s path is /usr/cids/idsRoot/var/IdsEventStore.

You may cleanup this file.

Now if you are looking for cleaning up the VMS events database, then you will have to use the "idspruning" utility that is documented at the below url;

http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000_b/vpnman/vms_2_1/secmon11/ug/appa.htm

Hope this helps you a bit.

Thanks,

yatin

Cisco Employee

Re: Reseting events in IDS 4210 v4.0

Hi Nicholas,

Just to clarify on how to cleanup the Event Store file on the sensor;

From the sensor CLI run the command " clear events". There are other commands that may be useful e.g. "show events" "show statictics eventstore"

Thanks,

yatin

90
Views
0
Helpful
2
Replies