JOINT Kiwi logging
This can be a very naïve question, if so it will certainly match my level of knowledge! Save messages can be sent to one of Kiwi Syslog server? If so, how to set?
Thank you very much
-michael
Michael-
Unfortunately, no. Kiwi is a server syslog and none of the Cisco IPS sensors support syslog to send event messages.
If you have only a few sensors, grab a copy of the free IDM. It will pull off probes IPS events via a secure protocol (CETS)
http://www.Cisco.com/en/us/docs/security/IPS/7.0/Configuration/Guide/IDM/idm_getting_started.html
Alternatively, you can go and settle the 'action' of each signature that you want to send an event to forward through SMNP interruption. It is a less secure way to send events and you will need to follow your tuning action as new signatures are added to your sensors over time.
-Bob
Tags: Cisco Security
Similar Questions
-
How to get the JOINT-2 log file
Hi, we installed in the 6500 system JOINT-2 cat. Anyone know how to get the syslog JOINT-2 file? and how config to send the log to syslog server? I know that these two questions are quite simple, but I've yet to find answers.
Any help would be greatly appreciated.
You can get the JOINT events to the CETS format. Using the Manager of IPS or other tool to collect these logs.
-
VCenter Log Insight manager and kiwi syslog
Hi guys
I am excited to try this product, but I already have a solution of syslog using Kiwi syslog.
I would be able to indicate the log Insight manager on the server of Kiwi?
Concerning
Firoze
If you already use Kiwi then you could pass the newspapers of Kiwi to Insight Log: http://www.kiwisyslog.com/help/syslog/index.html?action_forward_to_another_host.htm
-
Hello...
Sometimes my IDSM2 stops just alert reporting. Their State of connection in VMS SDI monitor will show 'connected', and when I try to SSH to the IDSM2 they request a user name and enter as soon as I hit they'll release session SSH the below error message printing. When they do, are also inaccessible via HTTPS. And when I try session inside through the switch in which they reside, they hang right after that I entered a user name. I usually can reset their via the switch command "hw-module", and after several times their resetting, they will start working again. I'm just curious as to why they do this, and if I do something to cause that can be avoided. They are running the latest version of the software 4and signatures, although I always had a problem with them that even in older versions. Here is the error message that they print.
kernel: do_get_write_access() to transaction.c:721 Assertion failure: "(((jh2bh (jh))-> b_state & (1UL)).< bh_uptodate))="" !=""> Thanks in advance
It is a known problem with busy sensors where the hard drive gets finally not synchronized because of its constant use (something that hard drives are not really designed for) and the entire system crashes. Essentially, each alert that the JOINT see is written in a rotating 4Gig log file on the hard drive and with sensors that never see a large number of alerts from the hard drive gets a chance to stop and turns eventually out of alignment. Quick, albeit temporary difficulty, is the blade stop, wait 5 minutes, then turn on the power again. The shutdown procedure runs correctly on the hard drive and it resets. If the sensor is busy in many, the problem will occur again.
We have implemented some fixes to work around this problem. You mention that you are running the latest code, but you must apply the latest service pack patch also work around this problem.
Patches are obtained from here:
http://www.Cisco.com/cgi-bin/tablebuild.pl/IDs-patches
The last patch 'g', they are cumulative as signature update so apply it allows you to get all the previous too. Apply it and you should find that everything works MUCH better he did.
-
JOINT-2, using a lot of memory
Hello.
I question obout JOINT-2 that is using 98% of the memory.
Output sh worm:
With the help of 1944629248 of 1979682816 memory available bytes (98% of use)
With 4.3 G off bytes 17 G of disk space available (27% of use)
It is normal that it is using 98% of memory durning normal operation or there is a problem?
If this is not normal if you please tell me how I can trobuleshoot what is wrong with it.
This message is misleading, because it includes the memory allocated for the system process as well as the memory allocated for the cache. Because cache
memory is really "free". It is available for allocation at any time.
It's actually a bug in cosmetics that you use in.
If you want to check during periods of what you believe to be the high memory usage, you can connect as the user of the service
(if you have not created a user of the service you can do this through):
1. log in using the account "cisco", the prompt will look like:
probe #.
2. Enter configure terminal mode:
probe # configure terminal
3. create the service account:
username Sensor (config) # service password xxx privilege service
Then connect on the sensor as the user of the service and run the command 'free. ' What 'sh worm' reports is the column "used."
The "Mem: ' row, column" used"is the amount of memory (in kilobytes) that reports the"show version"command." However, this total includes the amount 'cached '.
The formula to calculate the actual memory used is:
((used-Cached) / total) * 100 = percentage of memory used.
-
I would like to open a session of hacking and intrusion of the attacks through a PIX 501 with a connection to broadband in a Home Office Setup. I have the camera upwards and the race and I am currently Setup with the Kiwi Syslog Dameon. What would be my best approach Logging all relevant information with the load to the bottom of the unit? Any suggestions / tips would be appreciated.
Thank you
It is a common logging configuration that I use:
opening of session
timestamp of the record
logging trap information
host of logging inside x.x.x.x
No registration message 106015
No message logging 106007
No message logging 105003
No registration message 105004
No message recording 309002
No message logging 305012
No registration message 305011
No message logging 303002
No message logging 111008
No message logging 302015
No message recording 302014
No message logging 302013
No registration message 304001
No message logging 111005
No message logging 609002
No message recording 609001
No message logging 302016
I usually do not enable the logging buffer (never use connection console it will affect performance) because it's not the messages timestamp (it only timestamps in the syslog). But the PIX loaded down with the load, you and Kiwi you before the PIX don't.
Also turn on the IDs on the PIX.
It will be useful.
Steve
-
Is it possible to have the record of messages sent to two syslogs different. Our PIX 515 we have logging set in place to goto some lame program that we don't like. I know that the boss won't stop me logging him. I want to also connect to something like Kiwi syslod demon. Is this possible? Thank you.
Yes, it is possible to have several destinations for syslog traffic.
Use one for global forestry and the second for the kiwi.
-
Need recommendation for PIX logging software
Hello
I need a recommendation for a PIX software logging so that I can better manage my PIX 525 and 515 firewall. I am currently using Cisco Syslog and I want something that I can set up specific, priority alerts, send email or page... etc. Your help would be most appreciated.
Thank you
You can use: KIWI Syslog
http://www.kiwisyslog.com/software_downloads.htm#download%20Now
Commercial products:
Cisco VMS = http://www.cisco.com/go/vms
Sawmill = http://www.sawmill.net/
IQR = http://www.eiqnetworks.com/products/products.shtml
sincerely
Patrick
-
How to permanently remove it from the event log in the CSA MC
I run the Cisco Secure Agent 4 deployed on 4 PCs I have enabled documented logging just because it's a test environment & I wanted to see how many events it would generate. Well, last I checked CSA MC (under summary of events) it has more than 300,000 (it's just 300 000) events recorded. I have modified the event handler and applied the new rules, but the machine™ is slooooow both because of more than 300,000 events. Please see the screenshot joint. How do I permanently purge the event log. I used the purge within the CSA MC command but it removed only 10,000 events. The machine is slow so that I can do nothing about it.
Well, I wanted to send the screenshot, but the machine is slow I can't even attach the file. But in all cases, the problem is that the window summary displays message of more than 300,000 events & I need for permannently remove events.
Thank you.
Was the only one I know how is to use "events" and click all events. From there, you can click or purge the events of your choice.
Also, what are the specifications of server you use?
I have been involved with MCs with more than 2 x what you have & this server is satisfactory product.
Hope this helps,
Peter
-
Our company uses a 3000 VPN concentrator for our VPN access.
Is there a way to view a log history of what the user connected to the VPN and what IP address they were assigned? This would be 2 days ago, which was over the weekend.
Thank you.
To obtain this type of information, you must configure an external management server, syslog server and send this info to this server.
You can for example download any freeware like http://www.kiwisyslog.com kiwi syslog server, then configure the hub to send the logs on the server.
Here's how to use the VPN 3 k and syslogs etc...
http://www.Cisco.com/en/us/partner/docs/security/vpn3000/vpn3000_47/configuration/guide/events.html
For information more fancy graphical reporting you can also use Cisco Security Manager http://www.cisco.com/en/US/partner/products/ps6498/index.html
There are also 3rd party sofwware out there who can collect this type of information such as the engine firewall monitor of manage - may also collect newspapers of concentrators Cisco VPN - connections vpn etc...
http://www.ManageEngine.com/products/firewall/distributed-monitoring/index.htmlConcerning
-
/var/log/boot.gz
I guess that this file is created at startup and then gzip'd for archival purposes.
So, question:
-Is this file crashed every time you start it gets archived/moved/saved for historical reference, or is it just added/joint at each start-up phase?
THX.
Guardian1234 wrote:
-Is this file crashed every time you start it gets archived/moved/saved for historical reference, or is it just added/joint at each start-up phase?
I did two reboots of a 5.1 ESXi host and the boot.gz was that 30506 bytes in the first case and after the second reboot 30416 bytes. A large amount of new lines has been added, but the size was still a few bytes less. This strongly tells me that the file is overwritten each time you start. (Server on a persistent storage as well).
You could read the file with zcat /var/log/boot.gz | more.
-
How to send the autdit log to syslog?
Hi all
11.2.0.1
AIX 6.1
Our auditor TI wants to save our audit of the log files of the operating system, which can be protected by the root, so that - dba oracle (sys) can not touch it. Then the auditor wanted to send it to our server on another central audit trail machine.
I found this link in google:
http://underdarkonsole.blogspot.com/2011/10/send-Oracle-11g-audit-log-to-syslog.html
The 3rd party software such as kiwis and Splunk mentioned link. Is it necessary to send the audit log to syslog?
Thank you very much
zxy
You do not write. Oracle sends audit messages to the syslog facility. It is the syslog daemon which is writing.
Hemant K Collette
-
Restore the size of the log in Data Guard configurations
DB version: 11.2
Platform: Solaris 10
We have currently a DB production which is not Dataguard.It has a load of joint working: some processing OLTP and batch.
Its size of redo log is * 100 * MB.
We will create a database with the requirement very similair but this DB will have primary standby (Data guard) and real time applies.
To adapt to the requirements of dataguard, we should reduce the size of the recovery online newspapers? That is to say. Transport of small pieces of roll forward is better than carrying more. Right?Hello;
If you use "real-time applies" the key is not the size so that the standby Redo Logs.
In most cases, 100 MB is fine. Newspapers to sleep again must be the same size that it again.
With 'real time applies' SRL act as a buffer.
Unless you have a real problem with the size of do it again I would not change it.
An excellent source of information on this is 'Restore the Services of Transport' in ' Data Guard Concepts and Administration 11 g Release 2 (11.2) "E10700-02".
If you believe that your logs are too big departure "Troubleshooting performance problems with the database and base/MFG MRP [ID 100964.1]"
Best regards
mseberg
Published by: mseberg on May 31, 2012 11:33
-
With kernel panic issues please help reading log files
Whenever I plug a peripheral usb Arduino my mac crashes. Here is the log. I can't understand.
_________________________
Anonymous UUID: F337CFF1-4204-DF6D-2BD0-B6FDF3953966
Mon 3 Oct 11:30:17 2016
Panic report *.
panic (the appellant 2 cpu 0xffffff801554186b): 'item 0xffffff9202993dee of vm area objects being released taken wrongly zone kalloc.16\n"@/Library/Caches/com.apple.xbs/Sources/xnu/xnu-3789.1.32/osfmk/kern /zalloc.c:2664 '.
Backtrace (2 CPU), Frame: Return address
0xffffff9202823ba0: 0xffffff80154f748c
0xffffff9202823c20: 0xffffff801554186b
0xffffff9202823d00: 0xffffff8015a86fe6
0xffffff9202823d20: 0xffffff7f9643d00a
0xffffff9202823d70: 0xffffff7f9639600a
0xffffff9202823d90: 0xffffff7f9639bf9d
0xffffff9202823e10: 0xffffff8015ac00ba
0xffffff9202823e80: 0xffffff7f9639b8dd
0xffffff9202823ed0: 0xffffff7f963a07e1
0xffffff9202823f10: 0xffffff7f963a053f
0xffffff9202823f30: 0xffffff8015abd621
0xffffff9202823f80: 0xffffff8015abcc06
0xffffff9202823fb0: 0xffffff80154a6af7
Extensions of core in backtrace:
com.apple.iokit.IOUSBHostFamily (1.1) [6A671CD8-5527-3A10-8675-1421D158D7A7] @ ffff7f96365000-> 0xffffff7f963ccfff 0xff
dependency: com.apple.driver.AppleBusPowerController (1.0) [DB526B45 - 1 A 45 - 3A 81 - A0C1-57F826CAD EDF]@0xffffff7f96358000]
com.apple.iokit.IOUSBFamily (900.4.1) [8F6207EC-608D-373A-B35E-E6578202F58D] @ ffff7f96409000-> 0xffffff7f964a1fff 0xff
dependency: com.apple.iokit.IOPCIFamily (2.9) [731443D8-78D5-30C8-939A-1ED3E857CA22] @ 7f95d32000 0xffffff
dependency: ffff7f96365000 @0xff com.apple.iokit.IOUSBHostFamily (1.1) [6A671CD8-5527-3A10-8675-1421D158D7A7]
Corresponding to the current thread BSD process name: kernel_task
Boot args: kext-dev-mode = 1
Mac OS version:
A 16, 323
Kernel version:
16.0.0 Darwin kernel version: Mon Aug 29 17:56:20 PDT 2016; root:XNU-3789.1.32~3/RELEASE_X86_64
Kernel UUID: 622D2470-C34D-31F9-A62B-6AA9A3C6A3CD
Slide kernel: 0 x 0000000015200000
Text of core base: 0xffffff8015400000
Text __HIB base: 0xffffff8015300000
Name of system model: MacBookPro11, 5 (Mac-06F11F11946D27C5)
Availability of the system in nanoseconds: 5562983687
last load kext to 5127051852: com.apple.driver.ApplePlatformEnabler 2.7.0d0 (addr 0xffffff7f97b15000 size 28672)
kexts responsible:
com WCH.usbserial 1
com Kaspersky.NKE 2.3.1a8
com Kaspersky.kext.Klif 3.4.2a30
com.apple.driver.ApplePlatformEnabler 2.7.0d0
com.apple.driver.X86PlatformShim 1.0.0
com.apple.driver.AppleOSXWatchdog 1
com.apple.driver.AppleGraphicsDevicePolicy 3.13.60
com.apple.driver.AppleHDAHardwareConfigDriver 276.26
com.apple.driver.AppleUpstreamUserClient 3.6.4
com.apple.driver.AppleHDA 276.26
com.apple.kext.AMDFramebuffer 1.4.4
com Apple.Driver.pmtelemetry 1
com.apple.iokit.IOUserEthernet 1.0.1
com.apple.driver.AppleIntelHD5000Graphics 10.1.8
com.apple.iokit.IOBluetoothSerialManager 5.0.0f18
com.apple.AMDRadeonX4000 1.4.4
com.apple.driver.AppleCameraInterface 5.57.0
com.apple.Dont_Steal_Mac_OS_X 7.0.0
com.apple.driver.AppleHV 1
com.apple.iokit.BroadcomBluetoothHostControllerUSBTransport 5.0.0f18
com.apple.driver.ACPI_SMC_PlatformPlugin 1.0.0
com.apple.driver.AppleSMCLMU 208
com.apple.driver.AppleLPC 3.1
com.apple.driver.AppleMuxControl 3.13.60
com.apple.kext.AMD7000Controller 1.4.4
com.apple.driver.AppleThunderboltIP 3.0.8
com.apple.driver.AppleIntelFramebufferAzul 10.1.8
com.apple.driver.AppleIntelSlowAdaptiveClocking 4.0.0
com.apple.driver.AppleFIVRDriver 4.1.0
com.apple.driver.AppleBacklight 170.9.10
com.apple.driver.AppleMCCSControl 1.2.13
com.apple.iokit.SCSITaskUserClient 394
com.apple.driver.AppleUSBStorageCoexistentDriver 404.1.1
com.apple.driver.AppleUSBCardReader 404.1.1
com.apple.driver.AppleTopCaseHIDEventDriver 102
com.apple.driver.AppleUSBTopCaseDriver 102
com.apple.iokit.IOBluetoothUSBDFU 5.0.0f18
com.apple.driver.CoreStorageFsck 540
com.apple.iokit.IOAHCIBlockStorage 295.1.1
com.apple.driver.AirPort.Brcm4360 1100.37.1a16
com.apple.driver.AppleAHCIPort 326
com.apple.driver.AppleFileSystemDriver 3.0.1
com.apple.AppleFSCompression.AppleFSCompressionTypeDataless 1.0.0d1
com.apple.AppleFSCompression.AppleFSCompressionTypeZlib 1.0.0
com.apple.BootCache 39
com Apple.filesystems.HFS.kext 366.1.1
com.apple.driver.AppleSmartBatteryManager 161.0.0
com.apple.driver.AppleACPIButtons 5.0
com.apple.driver.AppleRTC 2.0
com.apple.driver.AppleHPET 1.8
com.apple.driver.AppleSMBIOS 2.1
com.apple.driver.AppleACPIEC 5.0
com.apple.driver.AppleAPIC 1.7
com Apple.NKE.applicationfirewall 171
com Apple.Security.Quarantine 3
com.apple.security.TMSafetyNet 8
com.apple.driver.DspFuncLib 276.26
com.apple.kext.OSvKernDSPLib 525
com.apple.iokit.IOSerialFamily 11
com.apple.iokit.IOSurface 152
com.apple.iokit.IOBluetoothHostControllerUSBTransport 5.0.0f18
com.apple.iokit.IOBluetoothHostControllerTransport 5.0.0f18
com.apple.iokit.IOBluetoothFamily 5.0.0f18
com.apple.driver.AppleHDAController 276.26
com.apple.iokit.IOHDAFamily 276.26
com.apple.iokit.IOAudioFamily 205.11
com.apple.vecLib.kext 1.2.0
com.apple.driver.IOPlatformPluginLegacy 1.0.0
com.apple.driver.X86PlatformPlugin 1.0.0
com.apple.driver.AppleSMBusPCI 1.0.14d1
com.apple.driver.IOPlatformPluginFamily 6.0.0d8
com.apple.driver.AppleGraphicsControl 3.13.60
com.apple.kext.AMDSupport 1.4.4
com.apple.driver.AppleThunderboltEDMSink 4.1.1
com.apple.driver.AppleThunderboltDPOutAdapter 4.5.3
com.apple.AppleGraphicsDeviceControl 3.13.60
com.apple.iokit.IOAcceleratorFamily2 288.13
com.apple.iokit.IOSlowAdaptiveClockingFamily 1.0.0
com.apple.driver.AppleBacklightExpert 1.1.0
com.apple.iokit.IONDRVSupport 2.4.1
com.apple.driver.AppleSMC 3.1.9
com.apple.driver.AppleSMBusController 1.0.14d1
com.apple.iokit.IOGraphicsFamily 2.4.1
com.apple.iokit.IOUSBMassStorageClass 4.0.4
com.apple.iokit.IOSCSIBlockCommandsDevice 394
com.apple.iokit.IOUSBMassStorageDriver 131.1.1
com.apple.iokit.IOSCSIArchitectureModelFamily 394
com.apple.driver.AppleHIDKeyboard 197
com.apple.driver.AppleMultitouchDriver 367,6
com.apple.driver.AppleInputDeviceSupport 76.1
com.apple.driver.usb.IOUSBHostHIDDevice 1.1
com Apple.Driver.USB.cdc 5.0.0
com.Apple.Driver.USB.Networking 5.0.0
com.apple.driver.usb.AppleUSBHostCompositeDevice 1.1
com.apple.driver.CoreStorage 540
com.apple.driver.AppleXsanScheme 3
com.apple.iokit.IO80211Family 1200.12.2
com.apple.driver.mDNSOffloadUserClient 1.0.1b8
com Apple.Driver.corecapture 1.0.4
com.apple.driver.AppleUSBMergeNub 900.4.1
com.apple.driver.usb.AppleUSBXHCIPCI 1.1
com.apple.driver.usb.AppleUSBXHCI 1.1
com.apple.iokit.IOAHCIFamily 288
com Apple.filesystems.HFS.Encodings.kext 1
com.apple.iokit.IONetworkingFamily 3.2
com.apple.driver.AppleThunderboltDPInAdapter 4.5.3
com.apple.driver.AppleThunderboltDPAdapterFamily 4.5.3
com.apple.driver.AppleThunderboltPCIDownAdapter 2.0.3
com.apple.driver.AppleThunderboltNHI 4.1.3
com.apple.iokit.IOThunderboltFamily 6.2.1
com.apple.driver.usb.AppleUSBHostPacketFilter 1.0
com.apple.iokit.IOUSBFamily 900.4.1
com.apple.iokit.IOUSBHostFamily 1.1
com.apple.driver.AppleUSBHostMergeProperties 1.1
com.apple.driver.AppleBusPowerController 1.0
com.apple.driver.AppleEFINVRAM 2.1
com.apple.driver.AppleEFIRuntime 2.0
com.apple.iokit.IOHIDFamily 2.0.0
com.apple.iokit.IOSMBusFamily 1.1
com Apple.Security.sandbox 300.0
com.apple.kext.AppleMatch 1.0.0d1
com.apple.driver.AppleKeyStore 2
com.apple.driver.AppleMobileFileIntegrity 1.0.5
com.apple.driver.AppleCredentialManager 1.0
com.apple.driver.DiskImages 444
com.apple.iokit.IOStorageFamily 2.1
com.apple.iokit.IOReportFamily 31
com.apple.driver.AppleFDEKeyStore 28.30
com.apple.driver.AppleACPIPlatform 5.0
com.apple.iokit.IOPCIFamily 2.9
com.apple.iokit.IOACPIFamily 1.4
com.apple.kec.Libm 1
com Apple.KEC.pthread 1
com Apple.KEC.corecrypto 1.0
System profile:
Airport: spairport_wireless_card_type_airport_extreme (0x14E4, 0 x 152), Broadcom BCM43xx 1.0 (7.21.171.10.1a16)
Bluetooth: Version 5.0.0f18, 3 services, 17 machines, 1 incoming serial ports
Bus crush: MacBook Pro, Apple Inc., 27.1
Memory module: BANK 0/DIMM0, 8 GB, DDR3, 1600 MHz, 0x80AD, 0x484D54343147533642465238412D50422020
Memory module: BANK 1/DIMM0, 8 GB, DDR3, 1600 MHz, 0x80AD, 0x484D54343147533642465238412D50422020
USB device: USB 3.0 Bus
USB Device: Card reader
USB device: Apple keyboard / Trackpad
USB Device: USB Bluetooth host controller
Serial ATA Device: APPLE SM0512G, GB 500,28 SSD
Model: MacBookPro11, 5, MBP114.0172.B09 of BootROM, 4 processors, Intel Core i7, 2.5 GHz, 16 GB, MSC 2.30f2
Network service: Wi - Fi, AirPort, en0
Graphics card: AMD Radeon M370X, AMD Radeon M370X, PCIe, 2048 MB R9 R9
Graphics card: Intel integrated Iris Pro, Intel Iris Pro,
Uninstall Kapersky. His tendency to interfere with the operation of the computer while offering little or no benefit.
-
How was that I logging into your account?
Hey! What is the * current? Why when I open the Apple support site I see these:
What is going on? How was that I logging into your account? Is I hacked or what? Or it's matter of Apple? Help, please.
< image edited by host to remove personal information >
I've been there before. I came to this site and I was instantly connected as someone who recently signed. Someone helped me to produce a report to Apple.
Maybe you are looking for
-
iPhone 6s remove * any * message, include the sender of messages
I get a lot of messages etc. 411-247, 227-898. I can delete the message, but the number remains in my message log. How can I remove this? Thanks for your help!
-
I used my ipod and iphone on my computer very well, and now all of a sudden whenever I'm trying to plug one or the other in one of the front usb ports I get "Unrecognized USB device". Any suggestions? Using Windows Vista.
-
How replace/find the privacy settings? Halo 2 Vista
How do you find privacy settings in Halo 2 for Vista. I have windows 7. Cannot download custom maps because my privacy settings will not let me. Cannot find the privacy settings menu, so I can't change the settings.
-
I tried to access my account email for weeks, but it is always with the thing "call us overprotective." I tried to get them to send me the code, but the email address, it will send that is same as iv email address never seen/used/heard about in my li
-
HP Officejet Pro 8000 Wireless-"door open".
I have had this printer for a little less than two years. It operates more or less decently. Operating system is Windows Vista. Problem: It prints or starts to print a page and then stops. Error in the solution center is "Open hatch." I carefully