Cisco ips logging options (SDEE, IME, Archiving)
Based on the following post, cisco IPS' can send basic syslog messages: https://supportforums.cisco.com/discussion/12180461/cisco-asa-5585-syslog-options-ips
Does anyone know which messages are sent via syslog?
Also, I understand the Cisco IME can be used to retrieve SDEE logs. I understand it can archive files. I need to make sure the logs are archived, and kept for at least a year. My concern for Cisco IME is that I won't know if the IME application fails or not. I believe it needs to be running in order for it to retrieve the SDEE logs.
Also, if the max number of archived files ever hits, is it possible to move old files to another folder? And then move those files back when they need to be viewed in the IME?
I am also hitting a deadend when it comes to finding alternatives for logging SDEE events. Splunk used to have a tool that could do this. But it is now deprecated. Anyone aware of any good SDEE retrival tools?
Any suggestions are appreciated
There are very few IPS-related syslog messages generated - primarily health of the overall sensor device or platform. Anything useful as far as actual IPS intrusion events, attempts etc. will only be available on the legacy Cisco IPS platforms via SDEE.
Cisco IME (free, limited number of managed devices, runs on a PC without any real archiving etc.) is the least cost option to retrieve and display the events.
Stepping up in the Cisco offerings would be to use Cisco Security Manager. It does archiving, hierarchical storage etc. However it's days are numbered as Cisco revamps both the IPS and traditional ASA features to account for both their development of CX-related products (including IPS) and the SourceFire product line. I don't now that I'd recommend CSM for a new buy.
If you have existing Cisco IPS and really need to archive the SDEE-retrieved events, then you could use LogRhythm or such as noted in the earlier reply.
Similar Messages
-
Hi, All
Few Queries on Cisco IPS.!!!!
1. Which are best tool for fetching cisco IPS logs??
2. Where or Which directory Cisco Logs/Events are saved?
3. I am only able to see today log but not able to view past any logs? what are possible cause?
4. Any free-ware tool that fetch logs and events from cisco IPS?
5. Cisco IPS express manager is free-ware or we need only cisco customer account?
For any type of help.. Thanks
Jignesh1. You can use IME (IPS Manager Express) to view all your IPS events.
Here is the IME page for your reference:
http://www.cisco.com/en/US/products/ps9610/index.html
2. The logs on the IPS device itself has very small storage space and it wraps once the log is full, therefore if you have a lot of events triggered, you are only able to see the latest events.
3. As per my above description.
4. Cisco IME - it's free (no extra license is required to use IME).
5. As long as you have CCO account, you should be able to download the IME software.
Hope this helps. -
Cisco IPS OID specific log fields
I am setting up a third-party log server checkpoint smartevent server to log events from Cisco IPS 4240. The setup requires to configure the OID specific log fields of the IPS. Where do i get the information. Will appreciate your assistance.
I believe what you are looking for is available here:
http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_snmp.html#wp1042408
http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?local=en&translate=Translate&objectInput=1.3.6.1.4.1.9.9.383
Let us know if you need more info.
Regards,
Sawan Gupta -
Hi,
Could anyone please tell me where can I find the information regarding the Fields of the log for IPS 4200? In what sequence do they appear in log files and what does each field signify?
Basically, I need the layout of the log file for the IPS logs. e.g. a sample layout would be something like this:
[timestamp] , [signatureID] , [vendor] [signature desc], [attacker IP] , [victim IP] , [attack type] , [action ID] , [action desc]
Thanks.
Regards,
PratikHere's an example of an SDEE message. I believe this is from a version 5.x sensor (it could be version 4, I don't see Risk Rating). Each time a new major version of software is release, new features are added and (if reportable) they show up as new fields in the SDEE messages.
testsensor4250XL
sensorApp
440
Sdee
10.1.1.119
1180958240541285000
10.1.1.119
0
1
R0VUIC9vc3Mvc3VydmV5LmFzcD7pdW1kYXlzPTUrMyBIVFRQ0=
11.1.1.2
60556
61.1.1.76
80 -
Hi,
I installed Cisco IPS Manager and it can see the AIP-SSM ips. But I do not see any real time logs and cannot create any report. What can cause this problem ?
ThanksIt could be a lot of things, I would do the following:
> To start of, verify if any events are coming on the AIP-SSM itself (via GUI or console)
> Is the 'Events Connection' showing as connected on the IME summary window?
> Goto Events >> Historical >> Last x duration and see if any events came from the AIP-SSM
> Double click the AIP-SSM (or right click and update the status) to get the latest certiifcate
> Restart the IME service
Regards
Farrukh -
Hi,
Need guidance on decoding IPS syslogs(alerts). We monitor IPS logs and there we could see some decoded messages appearing for cid.context.cid:fromTarget, cid.context.cid.fromAttacket, cid.triggerPacket fields. Would like to understand what these fields are, how to decode these messages (any tools/url for decoding), why cisco has made these contents to appear decoded (any specific reason), how this will help us in analyzing such alerts.
Thanks!
-Jag.Please use the below guide for message fields
http://www.cisco.com/c/en/us/td/docs/security/ips/7-0/configuration/guide/cli/cliguide7/cli_packets.html -
Understanding IPS log (sig:16297-Worm Activity)
Hi,
We are monitoring intrusions for a customer using SIEM and we got an alert based on the below IPS logs.
It would be great if someone helps clarify my doubts in analyzing this and similar IPS logs.
*********** Cisco IDS 08 Oct 2012 08:50:36 id= xyxyxyxyxyxyxyxyxyx sig_id= 16297 sig= Worm Activity - Brute Force src= 10.10.10.4 src_port= [3539] dst= 192.168.178.131 dst_port= [445] sev= informational proto= tcp eventId=1340445327004327804 severity=informational vendor=Cisco sd:originator.sd:hostId=AIP-SSM-1 sd:originator.cid:appName=sensorApp sd:originator.cid:appInstanceId=462 sd:time.offset=XYZ sd:time.timeZone=XYZ sd:time=1349686236842887000 sd:signature.cid:created=20090331 sd:signature.cid:type=anomaly sd:signature.cid:version=S392 sd:signature.description=Worm Activity - Brute Force sd:signature.id=16297 sd:signature.cid:subsigId=0 sd:signature.cid:sigDetails=Multiple logon failures sd:signature.marsCategory=Propagate/Worm sd:interfaceGroup=vs0 sd:vlan=0 sd:participants.sd:attacker.sd:addr.cid:locality=OUT sd:participants.sd:attacker.sd:addr=10.10.10.4 sd:participants.sd:attacker.sd:port=3539 sd:participants.sd:target.sd:addr.cid:locality=OUT sd:participants.sd:target.sd:addr=192.168.178.131 sd:participants.sd:target.sd:port=445 sd:participants.sd:target.cid:os.idSource=learned sd:participants.sd:target.cid:os.relevance=relevant sd:participants.sd:target.cid:os.type=windows-nt-2k-xp sd:participants.sd:target.cid:os= cid:context.cid:fromTarget= <removed> cid:context.cid:fromAttacker=<removed> cid:alertDetails=InterfaceAttributes: context="single_vf" physical="Unknown" backplane="GigabitEthernet0/1" ; cid:triggerPacket=<removed> cid:riskRatingValue.attackRelevanceRating=relevant cid:riskRatingValue.targetValueRating=medium cid:riskRatingValue=25 cid:threatRatingValue=25 cid:interface.backplane=GigabitEthernet0/1 cid:interface.context=single_vf cid:interface.physical=Unknown cid:interface=GigabitEthernet0/1 cid:protocol=tcp ************
1. I checked for sig:16297 via ASDM demo version, but didn't found this signature in sig0. Where can we see this signature settings and properties.
2. The fields "cid:context.cid:fromTarget=", "cid:context.cid:fromAttacker=", & "cid:triggerPacket=" looks to be like encoded format. How to decode this, any tools/URL? How these fields are significant
3. If this is false postivie (based on src/dst and activity), how to fine tune this in IPS?
Note: I don't have access to this IPS. But, I need to coach the owner for fine tuning and for other checks.
Thanks!
-Jag.Hi Jag.
Here is a link with more information on alert 16297/0.
tools.cisco.com/security/center/viewIpsSignature.x?signatureId=16297&signatureSubId=1&softwareVersion=6.0&releaseVersion=S392
Generally on that signature I'd email the customer and ask them to check the attacker IP to ensure that the computer doesn't have a virus. If these end up coming in frequently and the customer comes back stating they are false alerts then you may need to filter the alert or just send a report to the customer once a week with the IPs in question from the alert.
As far as decoding the fields in question 2, that comes out in base64. We have a powershell script that decodes these fields. I have tried various Web based decoders with mixed success which is why we wrote a powershell script to do the job. -
Change the logging option for the Lightweight AP
Hi,
For my AP I can see the logging option enable for a host:
# show running-config[...]logging snmp-trap debugging
logging 10.0.10.11
control-plane[...]
You notice this AP are Lightweight AP not Autonomous AP. Even in those you can run "show running-config" command.
I want to change the "loging 10.0.10.11" to "logging 10.20.13.101". But I cann't, nor using the terminal nor using my Cisco AS5508 Wireless Controller.
The WLC is logging in the new syslog server but I have loose the syslog information from the Access Point.
Thank you very muchHi,
This is what I want:
AP logs to my syslog server
WLC logs to my syslog server
The second part is working fine the WLC logs are sent to the syslog server, but not the AP logs
We can see the configuration at the AP:
# show running-config[...]logging snmp-trap debugging
logging
10.0.10.11
control-plane[...]
And I can't change using, as you say before: (well I can but it does work,it doesn't change)
Management => Logs => Config
I want to know if It's exist another procedure to change this.
Thanks again for your effort
Regards -
No archivelog mode and logging option
hi i am having a database 9i on windows 2000 adv server. my database is in no archivelog mode. i am creating a table with logging option as follows
create table x(no number(1))
logging;
table created
please let me know where the information will be logged? whether into trace files because database is in no archivelog mode.Logging information is always recorded in your redolog files, irrespective whether your database is in ARCHIVELOG mode or NOARCHIVELOG mode.
By default a table is created in LOGGING mode, you don't have to explicitly specify it.
Here is an example:
SQL> archive log list
Database log mode No Archive Mode
Automatic archival Disabled
Archive destination /u10/app/oracle/product/oracle10g/dbs/arch
Oldest online log sequence 11
Current log sequence 13
SQL> create table t(a number);
Table created.
SQL> select logging from user_tables where table_name = 'T';
LOG
YES -
Error: Cannot connect to NTP server or NTP server is not running - Cisco IPS
This is different scenario here:
I have two Cisco IPS 4260-k9 and both are in production now.
One of the IPSs is configured with NTP and works fines, but another one is not.
When tried to configure when the device is ON and live in production and got the following error,
Error from CLI:
" Error: Cannot connect to NTP server or NTP server is not running "
Error from IME:
" Delivery failed.
err Unaccepable Value - cannot connect to the NTP server or NTP server is not running"
I am able to reach the NTP server, also the same NTP is working fine with other devices....
Am I doing anything wrong?
Please adviseHi,
Now the error has changed:
Session.connect: java.net.SocketTimeoutException: Read timed out
I have increased the pooling interval to 1 Hr from 1 Min. Waiting for the next pooling interval result.
Guide me if I am heading right.... or anything else needs to be done.
Regards,
Krishna Chauhan -
Does the Cisco IPS 4200 can support RADIUS for user authentication?
Does the Cisco IPS 4200 can support SYSLOG for sending logging to outside?Are you kidding me? Then how do you explain
the fact that security devices such as
checkpoint and ASA firewalls are allowed
authentication via tacacs/radius and you can
send syslog back to a syslog server. Normally
the information is got sent back via the
Command and Control (C&C) interface which
should be on a secure network in the first
place.
This is a limitation of the of the IDS itself.
I have not tried version 5.x or 6.x yet but
if they are similar to version 4.1, then
they are nothing but a Linux box. You can
"shell" into the box and install PAM on it
so that you can use external authentication
such as radius/tacacs or even LDAP. -
IPS Log store on some other location
Hi,
we have following 4 ASA with IPS module.
1. Cisco ASA 5510 with IPS
2. Cisco ASA 5520 with IPS
3. Cisco ASA 5515X with IPS
4. Cisco ASA 5525x with SSD with IPS
I am checking IPS log on IPS individually login . I need store/save this log on some other location.
Please help us, how can I do.
Regards
Vinod Gupta
9810966625Yes. Buy it and sign on with your other Macs using the same AppleID. It will be available in the Purchases tab.
You can also make a copy of it after the first download and move it to your other machines to avoid another 4 gig download. Make sure to do this before installing as the installer will delete the download from the applications folder. -
Bitcoin generator and Cisco IPS 4240
I have a problem with Bitcoin generator installed somewhere in local network.
I have IPS 4240 what connected as IPS (All traffic to internet passes through IPS.
The software on IPS is very old.. and I can not upgade it.
Version 6.0(6)E4
Can I configure IPS tj detect and prevent bitcoin?Please any one can answer these questions...Your help is appreciable...Thse are blocking me...
We have purchased Cisco IPS 4240 sensor, installed the license and that device is communicating with other computers in the network. The version installed is IPS 6.1(1)E1. Please can you answer me below questions.
1) Please can you provide me the Document or link, that lists all the possible events that can be generated by Cisco IPS 4240 sensor.
2)Where this IPS 4240 sensor will store all the generated events, Pls can u provide me the File names,location of that files and can you tell me how to acces that files?
3) How many types of events will be generated by this IPS 4240 sensor.
4) How to send all types of events to Syslog server (Windows Kiwi syslog OR Linux syslog) present on another system in the network through CLI,IDM and IME.
5) Can you provide me some Examples to generate different events.
6) What is the difference between CLI, IDM and IME?
7) How we can know that configured IPS system is in Inline mode? -
I use CiscoWorks VMS / Security Monitor for my cisco ips sensors. I'm very familiar with the idsalarms utility for exporting event data to an xml file. But I would like to find a solution to pulling the events off the sensors without VMS or idsalarms. Is there another command line utility or standalone software that will connect to the sensors just for saving the events to a file?
Hi NItesh,
i'm suggesting to deploy another log server.
and config remote log target to that server.
in another way,
you can config monitoring log recovery in Monitoring Configuration > System Operations > Log Message Recovery.
http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-5/user/guide/acsuserguide/viewer_sys_ops.html#pgfId-1083029 -
Cisco IPS - IOS vs Appliance vs ASA vs IDSM2
Hello CSC
I am trying to find information on performance of the various IPS implementation options.
In short I've been asked to enable IPS on our 2 ISP routers 7206VXR (NPE-G1), 1 with 45Mbps connection, the other with 100mbps; LAN int for both 1Gbps. In addition, we have some internal WAN networks so would like to secure on this perimeter using ISDM2 in a 6509.
I have some doubts that using IOS IPS on each device will be able to cope with the load, with efficient throughput.
I found this info:
ASA - http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/data_sheet_c78-459036_ps4077_Products_Data_Sheet.html
IPS Appliance - http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/ps9157/product_data_sheet09186a008014873c_ps4077_Products_Data_Sheet.html
Does anyone have any similar stats for IOS IPS and IDSM2, or better still a comparison of all IPS solutions.
Help appreciated.
Thanks all
PhilHere is a little info.
http://www.cisco.com/en/US/prod/collateral/routers/ps5853/ps5875/prod_presentation0900aecd806ccf26.pdf
Maybe you are looking for
-
Hello, In JDBC Adapter, is there any other way to fetch the data other than select query? Our Scenario is like Transferring Project Information (PS Module) from Primavera to SAP. We fetch data from Primavera Through JDBC adapter with writing a select
-
Quick question about my toolbar dissappearing.
Hi there, I'm a little bit new to this whole PDF editing thing, whenever I open a .PDF document to edit my top toolbar dissappears. -It's the one that says: File Edit View Document Comments Forms Tools..... That is at the very top
-
Hello. I have a problem that it may be trivial for you but gave me a lot of headaches. I got 4 tables. This is the code for all of them: CREATE TABLE customers name VARCHAR2(40) NOT NULL PRIMARY KEY, address VARCHAR2(40) NOT
-
Hello all, I have a client scenario, in which picking is done. i want to know any SAP fuctionality that exists for mass processing of TOs. IF so, pl. post it the t-code and the procedure. Thanks, Maxx
-
Problems with interlaced and progressive on the same timeline ?
Is there any problem with having both interlaced and progressive on the same timetine ? EG will DVD work OK? thanks Narada