Hi Bill The CSIDS 4235 uses RDEP to transfer the XML formatted logs. Cisco did away with post office protocol upon migration to the V4.x sensors and syslog is not an option. RDEP is a "pull" technology, meaning that a remote log server must connect to the sensor on port 443 as an authorized user with a minimum of "view" privileges, access the log dir and pull them to the log server. The session is decrypted and the logs are stored in the clear text XML format on the log server. In a distributed envionment, you might be able to set up syslog to read the logs and ship them elsewhere for aggregation, or to a database, or a SEM, or ... Your options are limited on the 4235 because of Cisco terms of service, service account dependancies, and the hardening steps Cisco has taken. While it is not impossible to utilize syslog on the sensor, I wouldn't recommend it due to its insecurities versus RDEP. At a very basic level, Cisco does offer the IEV which runs on Windows. Get it installed in a lab and familiarize yourself with it, it will give you a good starting point to see what the logs look like and how they are accessed and processed. Plus, in a small shop, it's not a bad option for free. Terence Izzy, Brian wrote: > Bill, > Cisco IDS v4.x uses a XLM Based Protocol to transmit its events. > > One challenge you will face is how to combine UDP 514 Syslog and Cisco > XML IDS events in one machine (tool). > > For that, you might want to look at SEM (Security Event Management) > products. These type products can collect on multiple protocols > including the ones you mentioned and from other products of interest > including windows event logs, VPNs, VA products, etc.... Once the > information is centralized these products can correlate the data to > help identify virus/threats, enforce policy, and help with compliance > (SOX, GLBA, HIPPA, etc...). SEM product are either appliance based > while others are software based. > > There are lots of vendors doing SEM including the company I work for > -Network Intelligence Corp. I would suggest doing a Google search and > do some research on you own. > > These SEM products can get expensive so look around for the one that > fits you (and you budget) the best. > > Hope this helped, > Brian > > > > -----Original Message----- > From: > loganalysis-bounces+bizzy=network-intelligence.com@private > <loganalysis-bounces+bizzy=network-intelligence.com@private> > To: loganalysis@private <loganalysis@private> > Sent: Wed Jun 30 15:32:00 2004 > Subject: [logs] Cisco IDS 4235 and Syslog. > > All, > > We are in the process of rebuilding our logging infrastructure. I was > wondering whether > anyone had any experience with Cisco IDS (ver. 4.1) and syslog. Cisco's > documentation > is a little vague regarding 3rd party solutions (i.e. other than > CiscoWorks > VPN Security Manager > and Cisco Threat Response. Is it possible to log IDS events to a > centralized > syslog server? > If so, how is this accomplished? > > Many thanks in advance. > > Bill > > _________________________________________________________________ > FREE pop-up blocking with the new MSN Toolbar – get it now! > http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/ > > _______________________________________________ > LogAnalysis mailing list > LogAnalysis@private > http://lists.shmoo.com/mailman/listinfo/loganalysis > >------------------------------------------------------------------------ > >_______________________________________________ >LogAnalysis mailing list >LogAnalysis@private >http://lists.shmoo.com/mailman/listinfo/loganalysis > > _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Thu Jul 01 2004 - 09:43:45 PDT