Configuring a Cisco IDS Sensor

Firmware: 5.0+

Collector: Cisco IDS Collector

Note	If the Federal Information Processing Standards (FIPS) are enforced in your TLC environment, the Cisco IDS Collector (see Log-Message Collection) can only collect log messages from FIPS-compliant, Cisco devices. For a list of FIPS-compliant devices, see the Cisco documentation.

To configure a Cisco IDS Sensor to send log messages to TLC, complete the following steps in the IDS Device Manager:

Select the menu item Sensor Setup/Allowed Hosts.

Click Add.

Enter the IP address and Netmask for the Manager to which the sensor will send log messages.

Click Apply to Sensor.

Add Allowed Host dialog

Select the menu item Sensor Setup/Users.

Click Add.

Enter the Username and Password for the user account that will be logging in to the Cisco IDS Collector.

From the User Role menu, select Viewer.

Click Apply to Sensor.

Note	The Username and Password fields are case sensitive.

Add User dialog

10.

Open the Cisco IDS Event Viewer to verify that the Cisco IDS Sensor is now sending log messages to TLC.

Note	Normalized Messages from a Cisco IDS sensor can be saved as Events in an IDS Database or Event Database. However, TLC only includes payload information in an IDS Database. If you want to save IDS Events in an Event Database, and want to include payload information, you should initially save the Events in an IDS Database. You can then transfer the Events from the IDS Database to an Event Database by configuring a Database Collector.

Note

Normalized Messages from a Cisco IDS sensor can be saved as Events in an IDS Database or Event Database. However, TLC only includes payload information in an IDS Database. If you want to save IDS Events in an Event Database, and want to include payload information, you should initially save the Events in an IDS Database. You can then transfer the Events from the IDS Database to an Event Database by configuring a Database Collector.

Next	If you are performing initial configuration of your TLC environment, see Configuring your TLC Environment. Otherwise, see Adding a Monitored Asset for a new Log Source.

Next

If you are performing initial configuration of your TLC environment, see Configuring your TLC Environment.

Otherwise, see Adding a Monitored Asset for a new Log Source.

Troubleshooting

Receive an Error:

CSC08-2:Cisco IDS Fault received : This subscription cannot be opened because the maximum number of subscriptions are already open.

Cisco only allows 5 subscriptions to an SDEE server. To view the current subscriptions, activate enable mode and enter the following command at the IDS command prompt:

show statistics sdee-server

These subscriptions are cleared when the IDS is rebooted. To clear a subscription, connect to the following Web page:

https://<CiscoIDS>/cgi-bin/sdee-server?action=close&subscriptionId=sub-#-########

For example:

https://10.1.1.2/cgi-bin/sdee-server?action=close&subscriptionId=sub-4-b1300fa9

The default response is an XML message.