Using Monitoring Center for Security 2.2 - Monitoring Device Status and Notifications [CiscoWorks Monitoring Center for Security]

Table Of Contents

Monitoring Device Status and Notifications

Displaying Monitored Device Status

Monitoring Device Connection Status

Viewing RDEP/SDEE Device Information

Working with Active Blocks

Viewing Denied Attackers

Viewing IP Logs

Viewing Console Notifications

Monitoring Device Status and Notifications

From the Monitor tab, you can view connection status between Monitoring Center for Security (Security Monitor) and monitored devices, device information for RDEP/SDEE devices, IP logs, and console notifications. You can also monitor events from the Monitor tab. For more information, see Chapter 1, "Using the Event Viewer."

This chapter contains the following topics:

•Displaying Monitored Device Status

•Viewing Console Notifications

Displaying Monitored Device Status

You can use Security Monitor to verify the connection status of the RDEP/SDEE devices and Security Agent MC servers that you are monitoring with Security Monitor. Additionally, for RDEP/SDEE devices, you can view active blocks, active deny status, and IP logs on the device and Security Monitor server.

This section contains the following topics:

•Monitoring Device Connection Status

•Viewing RDEP/SDEE Device Information

Monitoring Device Connection Status

You can view the connection status of the RDEP/SDEE devices and Security Agent MC servers that you are monitoring with Security Monitor. You cannot monitor the connection status of devices using syslog messages to send event and session data to Security Monitor.

Devices using RDEP/SDEE to communicate with Security Monitor and Security Agent MC servers can show one of the following statuses:

•Connected TLS—A secure connection has been established and receives data.

•Connected non-TLS—(RDEP/SDEE devices only) A connection that does not use Transport Layer Security (TLS) has been established and receives data.

Additionally, RDEP/SDEE and Security Agent MC server connections may show one of the following transitional states:

–Created

–Shutting Down

–Paused

–Authentication Failure

•Not Connected—A connection with the devices has not been established.

A connection status of Not Connected indicates one of the following conditions:

–The device has been added to Security Monitor, but is not yet configured to send event data. Configure the device to forward event data to Security Monitor. This condition is commonly seen when you configure Security Monitor for a device that you plan to deploy later in your network.

–The device has been misconfigured. Make sure that the communication settings on the device are correct and that the events are being sent to the correct IP address, protocol, and port number.

–Security Monitor has been misconfigured. Make sure that the device contact settings in Security Monitor match those on the device and that any credentials (such as administrative account name and password) have been entered in Security Monitor correctly. Verify that NAT settings have been configured properly.

–Network connectivity between the device and Security Monitor has been lost. Try pinging the device from the Security Monitor server. CiscoWorks contains several diagnostic tools, including ping and traceroute, in the Server Configuration > Diagnostics > Connectivity Tools folder.

Note The IDS_Receiver daemon keeps the device connection status current. If IDS_Receiver daemon is not running, the device connection status does not change and the last entries written to the table (by the daemon) always appear. If you add a device while the IDS_Receiver daemon is stopped, you might see a connectivity status of Indeterminate, which indicates that the IDS_Receiver daemon has not yet created a thread to monitor the connection to the device.

To display the status of the RDEP/SDEE devices, follow these steps:

Step 1 Select Monitor > Connections.

The Connections page appears, listing each device configured in Security Monitor. The device name, type, connection status, and flow control percentage appear in a table.

Step 2 To update the display, click Refresh.

The device list and the connection status for each device is updated.

Viewing RDEP/SDEE Device Information

For RDEP/SDEE devices, you can view active blocks, denied attacks, and IP logs on the device and Security Monitor server.

This section contains the following topics:

•Working with Active Blocks

•Viewing Denied Attackers

•Viewing IP Logs

Working with Active Blocks

You can view a list of active blocks initiated by an RDEP/SDEE device. The following types of blocks are available:

•Host block—Denies all traffic from a given IP address.

•Connection block—Denies all traffic from a given source IP address to a given destination IP address and destination port.

•Network block—Denies all traffic from a specific network.

You can also delete active blocks from the device.

To view or delete active blocks, follow these steps:

Step 1 Select Monitor > Device.

Step 2 Click the Object Selector handle.

All RDEP/SDEE devices that you have added to Security Monitor are listed.

Step 3 In the Object Selector, select the device for which you want to view blocks.

The Object Selector closes.

Step 4 To view the active host/connection blocks, select Host/Connection Blocks in the TOC.

The Host/Connection Blocks page appears.

Step 5 To view the active network blocks, select Network Blocks in the TOC.

The Network Blocks page appears.

Step 6 To delete an active block, select the check box next to the block that you want to delete, and then click Delete.

Note You must have administrative privileges to delete an active block.

The active block is deleted from the device.

Step 7 To view detailed status information for an active block, click the link in the Status column for that block.

Step 8 To update the display, click Refresh.

The list of active blocks is updated.

Viewing Denied Attackers

You can view a current list of denied IP addresses for Cisco Intrusion Prevention Systems (IPS) Sensors 5.0.

To view a list of denied attackers, follow these steps:

Step 1 Select Monitor > Device.

Step 2 Click the Object Selector handle.

All RDEP/SDEE devices that you have added to Security Monitor are listed.

Step 3 In the Object Selector, select the device for which you want to view a list of denied attackers.

The Object Selector closes.

Step 4 To view the denied attackers, select Denied Attackers in the TOC.

The Denied Attackers page appears. It contains a table that displays the following columns:

•IP Address—IP address of the host that the sensor is denying.

•Hit Count—Displays the hit count for that denied attacker.

Step 5 To update the table, click Refresh.

The list of active denied attackers is updated.

Step 6 To clear the entire list of denied attackers from the sensor, click Clear List.

Note You must have administrative privileges to clear the denied attacker list.

All active denied attackers are cleared from the sensor.

Viewing IP Logs

You can view the IP logs stored on an RDEP/SDEE device or stored on the local Security Monitor server.

Tip Before you can view IP logs on the Security Monitor server, you must specify a location for the IP logs to be saved on the IP Log Settings page, which you access by selecting Admin > System Configuration > IP Log Settings.

To view IP logs, follow these steps:

Step 1 Select Monitor > Device.

Step 2 Click the Object Selector handle.

All RDEP/SDEE devices that you have added to Security Monitor are listed.

Step 3 In the Object Selector, select the device for which you want to view IP logs.

The Object Selector closes.

Step 4 To view the IP logs from the RDEP/SDEE device, select RDEP/SDEE Device in the TOC.

The IP Logs page appears.

Step 5 To view the IP logs from the Security Monitor server, select Server in the TOC.

The Archived IP Log page appears.

Step 6 To update the display, click Refresh.

The list of IP logs is updated.

Step 7 To view the IP log details, click the radio button next to the IP log ID. Then, click Show IP Log.

The IP log details appear in a new window.

Step 8 To delete an IP log, click the radio button next to the IP log ID. Then, click Delete.

Note The Delete option is available only for IP logs from the Security Monitor server.

The selected IP log is deleted from the Security Monitor archive.

Viewing Console Notifications

You can set up console notifications as a system response to specific events or patterns of events by using events rules. For more information, see Chapter 1, "Defining Notifications."

You can view the console notifications generated by the notification subsystem.

To view the console notifications, follow these steps:

Step 1 Select Monitor > Notifications.

The Console Notifications page appears.

Step 2 To update the display, click Refresh.

The list of console notifications is updated.

Step 3 To delete a console notification, select the check box next to the notification you want to delete, and then click Delete.

Tip You can delete more than one notification at a time. To delete more than one notification, select the check boxes next to all notifications that you want to delete.

The selected console notification is deleted from the Security Monitor archive.

	Using Monitoring Center for Security 2.2
	Monitoring Device Status and Notifications
Using Monitoring Center for Security 2.2 Preface Security Monitor Overview Getting Started with Security Monitor Configuring Devices to Monitor Monitoring Device Status and Notifications Using the Event Viewer Defining Notifications Defining and Viewing Reports Configuring the System Configuration Settings Maintaining the Database Using Command-Line Utilities	Download this chapter Monitoring Device Status and Notifications Download the complete book Using Monitoring Center for Security 2.2 (Whole Book PDF) (PDF - 2 MB) Table Of Contents Monitoring Device Status and Notifications Displaying Monitored Device Status Monitoring Device Connection Status Viewing RDEP/SDEE Device Information Working with Active Blocks Viewing Denied Attackers Viewing IP Logs Viewing Console Notifications Monitoring Device Status and Notifications From the Monitor tab, you can view connection status between Monitoring Center for Security (Security Monitor) and monitored devices, device information for RDEP/SDEE devices, IP logs, and console notifications. You can also monitor events from the Monitor tab. For more information, see Chapter 1, "Using the Event Viewer." This chapter contains the following topics: •Displaying Monitored Device Status •Viewing Console Notifications Displaying Monitored Device Status You can use Security Monitor to verify the connection status of the RDEP/SDEE devices and Security Agent MC servers that you are monitoring with Security Monitor. Additionally, for RDEP/SDEE devices, you can view active blocks, active deny status, and IP logs on the device and Security Monitor server. This section contains the following topics: •Monitoring Device Connection Status •Viewing RDEP/SDEE Device Information Monitoring Device Connection Status You can view the connection status of the RDEP/SDEE devices and Security Agent MC servers that you are monitoring with Security Monitor. You cannot monitor the connection status of devices using syslog messages to send event and session data to Security Monitor. Devices using RDEP/SDEE to communicate with Security Monitor and Security Agent MC servers can show one of the following statuses: •Connected TLS—A secure connection has been established and receives data. •Connected non-TLS—(RDEP/SDEE devices only) A connection that does not use Transport Layer Security (TLS) has been established and receives data. Additionally, RDEP/SDEE and Security Agent MC server connections may show one of the following transitional states: –Created –Shutting Down –Paused –Authentication Failure •Not Connected—A connection with the devices has not been established. A connection status of Not Connected indicates one of the following conditions: –The device has been added to Security Monitor, but is not yet configured to send event data. Configure the device to forward event data to Security Monitor. This condition is commonly seen when you configure Security Monitor for a device that you plan to deploy later in your network. –The device has been misconfigured. Make sure that the communication settings on the device are correct and that the events are being sent to the correct IP address, protocol, and port number. –Security Monitor has been misconfigured. Make sure that the device contact settings in Security Monitor match those on the device and that any credentials (such as administrative account name and password) have been entered in Security Monitor correctly. Verify that NAT settings have been configured properly. –Network connectivity between the device and Security Monitor has been lost. Try pinging the device from the Security Monitor server. CiscoWorks contains several diagnostic tools, including ping and traceroute, in the Server Configuration > Diagnostics > Connectivity Tools folder. Note The IDS_Receiver daemon keeps the device connection status current. If IDS_Receiver daemon is not running, the device connection status does not change and the last entries written to the table (by the daemon) always appear. If you add a device while the IDS_Receiver daemon is stopped, you might see a connectivity status of Indeterminate, which indicates that the IDS_Receiver daemon has not yet created a thread to monitor the connection to the device. To display the status of the RDEP/SDEE devices, follow these steps: Step 1 Select Monitor > Connections. The Connections page appears, listing each device configured in Security Monitor. The device name, type, connection status, and flow control percentage appear in a table. Step 2 To update the display, click Refresh. The device list and the connection status for each device is updated. Viewing RDEP/SDEE Device Information For RDEP/SDEE devices, you can view active blocks, denied attacks, and IP logs on the device and Security Monitor server. This section contains the following topics: •Working with Active Blocks •Viewing Denied Attackers •Viewing IP Logs Working with Active Blocks You can view a list of active blocks initiated by an RDEP/SDEE device. The following types of blocks are available: •Host block—Denies all traffic from a given IP address. •Connection block—Denies all traffic from a given source IP address to a given destination IP address and destination port. •Network block—Denies all traffic from a specific network. You can also delete active blocks from the device. To view or delete active blocks, follow these steps: Step 1 Select Monitor > Device. Step 2 Click the Object Selector handle. All RDEP/SDEE devices that you have added to Security Monitor are listed. Step 3 In the Object Selector, select the device for which you want to view blocks. The Object Selector closes. Step 4 To view the active host/connection blocks, select Host/Connection Blocks in the TOC. The Host/Connection Blocks page appears. Step 5 To view the active network blocks, select Network Blocks in the TOC. The Network Blocks page appears. Step 6 To delete an active block, select the check box next to the block that you want to delete, and then click Delete. Note You must have administrative privileges to delete an active block. The active block is deleted from the device. Step 7 To view detailed status information for an active block, click the link in the Status column for that block. Step 8 To update the display, click Refresh. The list of active blocks is updated. Viewing Denied Attackers You can view a current list of denied IP addresses for Cisco Intrusion Prevention Systems (IPS) Sensors 5.0. To view a list of denied attackers, follow these steps: Step 1 Select Monitor > Device. Step 2 Click the Object Selector handle. All RDEP/SDEE devices that you have added to Security Monitor are listed. Step 3 In the Object Selector, select the device for which you want to view a list of denied attackers. The Object Selector closes. Step 4 To view the denied attackers, select Denied Attackers in the TOC. The Denied Attackers page appears. It contains a table that displays the following columns: •IP Address—IP address of the host that the sensor is denying. •Hit Count—Displays the hit count for that denied attacker. Step 5 To update the table, click Refresh. The list of active denied attackers is updated. Step 6 To clear the entire list of denied attackers from the sensor, click Clear List. Note You must have administrative privileges to clear the denied attacker list. All active denied attackers are cleared from the sensor. Viewing IP Logs You can view the IP logs stored on an RDEP/SDEE device or stored on the local Security Monitor server. Tip Before you can view IP logs on the Security Monitor server, you must specify a location for the IP logs to be saved on the IP Log Settings page, which you access by selecting Admin > System Configuration > IP Log Settings. To view IP logs, follow these steps: Step 1 Select Monitor > Device. Step 2 Click the Object Selector handle. All RDEP/SDEE devices that you have added to Security Monitor are listed. Step 3 In the Object Selector, select the device for which you want to view IP logs. The Object Selector closes. Step 4 To view the IP logs from the RDEP/SDEE device, select RDEP/SDEE Device in the TOC. The IP Logs page appears. Step 5 To view the IP logs from the Security Monitor server, select Server in the TOC. The Archived IP Log page appears. Step 6 To update the display, click Refresh. The list of IP logs is updated. Step 7 To view the IP log details, click the radio button next to the IP log ID. Then, click Show IP Log. The IP log details appear in a new window. Step 8 To delete an IP log, click the radio button next to the IP log ID. Then, click Delete. Note The Delete option is available only for IP logs from the Security Monitor server. The selected IP log is deleted from the Security Monitor archive. Viewing Console Notifications You can set up console notifications as a system response to specific events or patterns of events by using events rules. For more information, see Chapter 1, "Defining Notifications." You can view the console notifications generated by the notification subsystem. To view the console notifications, follow these steps: Step 1 Select Monitor > Notifications. The Console Notifications page appears. Step 2 To update the display, click Refresh. The list of console notifications is updated. Step 3 To delete a console notification, select the check box next to the notification you want to delete, and then click Delete. Tip You can delete more than one notification at a time. To delete more than one notification, select the check boxes next to all notifications that you want to delete. The selected console notification is deleted from the Security Monitor archive.
	© 1992-2009 Cisco Systems, Inc. All rights reserved. Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks of Cisco Systems, Inc.