Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VMS Questions

I am evaluating VMS. I am curious about where VMS gets the information for the reports. Does it pull it directly from the IDS? Reason I am asking is because I recently cleared events from the IDS, "clear events", and when I run a report from Security Monitor I am still seeing alerts that happened before I cleared events.

Also before I cleared the events I was only able to pull alerts from that day, even though the report was set to pull alerts from the "end of time".

Any information would be appreciated. Thanks

3 REPLIES
New Member

Re: VMS Questions

This is for version 2.2 of VMS

When you create and IDS sensor and indicate that you want to configure and/or monitor that IDS, all messages from the IDS pertaining to reactions to enabled signatures will be writen to the database on the cisco works/VMS server.

When you are in the VMS VPN/Security Managment Solution application and select a report or monitor action, those events come from the events stored in the local database on the ciscoworks/VMS server and could include "live" events from the active sensor and/or sensors as those events are being written to the local ciscoworks/VMS database.

gprice

New Member

Re: VMS Questions

Thanks. So as long as the VMS service is running on the server than all events are sent to the database?

Is there a way to clear the events database on the VMS server? Also can events that are on the IDS before the VMS server was installed be pulled into the database?

Thanks..

Re: VMS Questions

Well, let me correct one minor item in your question above. As long as the IDS service is running on the VMS server, Security Monitor will retrieve the events from the sensor. Remember that in IDS 4.X, we have gone to a new protocol called RDEP. RDEP works in a pull method rather than the push method that Postoffice protocol used (IDS 3.X).

As for clearing the events in the database on the VMS server, take a look at the following documentation:

http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000_b/vpnman/vms_2_1/secmon11/ug/appa.htm#361202

And finally, it is not possible to pull old events from the sensor. The SecMon probes contain a setting which makes them pull events from the current time and forward.

Hope this helps. If not clear, please let me know.

Scott

92
Views
0
Helpful
3
Replies
CreatePlease to create content