Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
228
Views
0
Helpful
3
Replies

VMS Questions

ajohnson
Level 1
Level 1

‎12-02-2003 08:49 AM - edited ‎03-09-2019 05:43 AM

I am evaluating VMS. I am curious about where VMS gets the information for the reports. Does it pull it directly from the IDS? Reason I am asking is because I recently cleared events from the IDS, "clear events", and when I run a report from Security Monitor I am still seeing alerts that happened before I cleared events.

Also before I cleared the events I was only able to pull alerts from that day, even though the report was set to pull alerts from the "end of time".

Any information would be appreciated. Thanks

Labels:
0 Helpful
3 Replies 3

garyprice
Level 1
Level 1

‎12-02-2003 09:13 AM

This is for version 2.2 of VMS

When you create and IDS sensor and indicate that you want to configure and/or monitor that IDS, all messages from the IDS pertaining to reactions to enabled signatures will be writen to the database on the cisco works/VMS server.

When you are in the VMS VPN/Security Managment Solution application and select a report or monitor action, those events come from the events stored in the local database on the ciscoworks/VMS server and could include "live" events from the active sensor and/or sensors as those events are being written to the local ciscoworks/VMS database.

gprice

0 Helpful

ajohnson
Level 1
Level 1
In response to garyprice

‎12-02-2003 11:42 AM

Thanks. So as long as the VMS service is running on the server than all events are sent to the database?

Is there a way to clear the events database on the VMS server? Also can events that are on the IDS before the VMS server was installed be pulled into the database?

Thanks..

0 Helpful

scoclayton
Level 7
Level 7
In response to ajohnson

‎12-02-2003 06:46 PM

Well, let me correct one minor item in your question above. As long as the IDS service is running on the VMS server, Security Monitor will retrieve the events from the sensor. Remember that in IDS 4.X, we have gone to a new protocol called RDEP. RDEP works in a pull method rather than the push method that Postoffice protocol used (IDS 3.X).

As for clearing the events in the database on the VMS server, take a look at the following documentation:

http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000_b/vpnman/vms_2_1/secmon11/ug/appa.htm#361202

And finally, it is not possible to pull old events from the sensor. The SecMon probes contain a setting which makes them pull events from the current time and forward.

Hope this helps. If not clear, please let me know.

Scott

0 Helpful
Customers Also Viewed These Support Documents