Re: [logs] Cisco IDS 4235 and Syslog.

From: Terence Runge (terencerunge@private)
Date: Wed Jun 30 2004 - 20:43:33 PDT


Hi Bill

The CSIDS 4235 uses RDEP to transfer the XML formatted logs. Cisco did 
away with post office protocol upon migration to the V4.x sensors and 
syslog is not an option. RDEP is a "pull" technology, meaning that a 
remote log server must connect to the sensor on port 443 as an 
authorized user with a minimum of "view" privileges, access the log dir 
and pull them to the log server.

The session is decrypted and the logs are stored in the clear text XML 
format on the log server. In a distributed envionment, you might be able 
to set up syslog to read the logs and ship them elsewhere for 
aggregation, or to a database, or a SEM, or ...

Your options are limited on the 4235 because of Cisco terms of service, 
service account dependancies, and the hardening steps Cisco has taken. 
While it is not impossible to utilize syslog on the sensor, I wouldn't 
recommend it due to its insecurities versus RDEP.

At a very basic level, Cisco does offer the IEV which runs on Windows. 
Get it installed in a lab and familiarize yourself with it, it will give 
you a good starting point to see what the logs look like and how they 
are accessed and processed. Plus, in a small shop, it's not a bad option 
for free.

Terence

Izzy, Brian wrote:

> Bill,
> Cisco IDS v4.x uses a XLM Based Protocol to transmit its events.
>
> One challenge you will face is how to combine UDP 514 Syslog and Cisco 
> XML IDS events in one machine (tool).
>
> For that, you might want to look at SEM (Security Event Management) 
> products. These type products can collect on multiple protocols 
> including the ones you mentioned and from other products of interest 
> including windows event logs, VPNs, VA products, etc.... Once the 
> information is centralized these products can correlate the data to 
> help identify virus/threats, enforce policy, and help with compliance 
> (SOX, GLBA, HIPPA, etc...). SEM product are either appliance based 
> while others are software based.
>
> There are lots of vendors doing SEM including the company I work for 
> -Network Intelligence Corp. I would suggest doing a Google search and 
> do some research on you own.
>
> These SEM products can get expensive so look around for the one that 
> fits you (and you budget) the best.
>
> Hope this helped,
> Brian
>
>
>
> -----Original Message-----
> From: 
> loganalysis-bounces+bizzy=network-intelligence.com@private 
> <loganalysis-bounces+bizzy=network-intelligence.com@private>
> To: loganalysis@private <loganalysis@private>
> Sent: Wed Jun 30 15:32:00 2004
> Subject: [logs] Cisco IDS 4235 and Syslog.
>
> All,
>
> We are in the process of rebuilding our logging infrastructure. I was
> wondering whether
> anyone had any experience with Cisco IDS (ver. 4.1) and syslog. Cisco's
> documentation
> is a little vague regarding 3rd party solutions (i.e. other than 
> CiscoWorks
> VPN Security Manager
> and Cisco Threat Response. Is it possible to log IDS events to a 
> centralized
> syslog server?
> If so, how is this accomplished?
>
> Many thanks in advance.
>
> Bill
>
> _________________________________________________________________
> FREE pop-up blocking with the new MSN Toolbar – get it now!
> http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
>
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysis@private
> http://lists.shmoo.com/mailman/listinfo/loganalysis
>
>------------------------------------------------------------------------
>
>_______________________________________________
>LogAnalysis mailing list
>LogAnalysis@private
>http://lists.shmoo.com/mailman/listinfo/loganalysis
>  
>
_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis



This archive was generated by hypermail 2b30 : Thu Jul 01 2004 - 09:43:45 PDT