This document provides various methods to monitor the IPS
There are no specific requirements for this document.
The information in this document is based on IPS 5.x and later.
The information in this document was created from the devices in a
specific lab environment. All of the devices used in this document started with
a cleared (default) configuration. If your network is live, make sure that you
understand the potential impact of any command.
Refer to the Cisco Technical Tips
Conventions for more information on document conventions.
Currently, there are four options for monitoring the sensors:
IPS Manager Express (IME) is available from
download in Cisco.com. This application is able to securely subscribe to
the IPS sensor with SDEE and retrieve the events/logs that have been generated
as a result of any issues or signatures that have fired due to a match.
IPS Device Manager (IDM) is called when you access the sensor
directly through HTTPS.
View the event store directly on the sensor with the
Event Monitoring tools. IDM and IME are not valid solutions if you need
to store the events long term as the local event store of the sensor is a 30 MB
circular buffer and begins to overwite itself once the 30 MB limit is reached.
This limit is non-configurable.
device in order to routinely pull and correlate the events from the sensor. The
CS-MARS uses the SDEE protocol in order to establish a secure connection to the
sensor to retrieve the events and retrieves new events every few
Contact your account team/reseller/SE for more information if you are
interested in demo-ing the CS-MARS device.
IPS 5.x and 6.x devices, MARS pulls the logs with SDEE over SSL.
Therefore, MARS must have HTTPS access to the sensor. In order to prepare the
sensor, you must allow HTTPS traffic from the IDM/IME management station, and
make sure that the IP address of MARS is defined as an allowed host on the
Monitor the events with the IEV.
Event Viewer is a Java-based application that enables you to view and
manage alarms for up to five sensors. With IDS Event Viewer you can connect to
and view alarms in real time or in imported log files. You can configure
filters and views to help you manage the alarms. You can also import and export
event data for further analysis. Like MARS, IEV establishes a secure connection
to the sensor and retrieves events every few seconds. The IEV stores these
events in a database on the server on which IEV is installed. The DB is
included with IEV and installed along with the application. Click
order to download.
Note: The documentation for IEV is found through the help menu after you
install it. The readme contains installation information.
Configure the signatures on your sensor to have an action of
request-snmp-trap and configure the sensor to send the traps
server. You can then use this server to relay the messages as syslogs to
SNMP is an application layer protocol that facilitates the exchange
of management information between network devices. SNMP enables network
administrators to manage network performance, find and solve network problems,
and plan for network growth.
SNMP is a simple request/response protocol. The network-management
system issues a request, and managed devices return responses. This behavior is
implemented with the use of one of four protocol operations:
You can configure the sensor for monitoring by SNMP. SNMP defines a
standard way for network management stations to monitor the health and status
of many types of devices, which includes switches, routers, and sensors.