Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Cisco IDS/IPS

 

You can integrate a Cisco IDS/IPS security device with JSA.

The Cisco IDS/IPS DSM for JSA polls Cisco IDS/IPS for events by using the Security Device Event Exchange (SDEE) protocol.

The SDEE specification defines the message format and the protocol that is used to communicate the events that are generated by your Cisco IDS/IPS security device. JSA supports SDEE connections by polling directly to the IDS/IPS device and not the management software, which controls the device.

Note

You must have security access or web authentication on the device before you connect to JSA.

After you configure your Cisco IDS/IPS device, you must configure the SDEE protocol in JSA. When you configure the SDEE protocol, you must define the URL required to access the device.

For example, https://www.mysdeeserver.com/cgi-bin/sdee-server.

You must use an http or https in the URL, which is specific to your Cisco IDS version:

  • If you are using RDEP (for Cisco IDS v4.0), check that /cgi-bin/event-server is at the end of the URL.

    For example, https://www.my-rdep-server.com/cgi-bin/event-server

  • If you are using SDEE/CIDEE (for Cisco IDS v5.x and later), check that /cgi-bin/sdee-server is at the end of the URL.

    For example, https://www.my-sdee-server/cgi-bin/sdee-server

JSA does not automatically discover or create log sources for syslog events from Cisco IDS/IPS devices. To integrate Cisco IDS/IPS device events with JSA, you must manually create a log source for each Cisco IDS/IPS in your network.

To configure a Cisco IDS/IPS log source by using SDEE polling:

  1. Log in to JSA.
  2. Click the Admin tab.
  3. On the navigation menu, click Data Sources.

    The Data Sources pane is displayed.

  4. Click the Log Sources icon.

    The Log Sources window is displayed.

  5. Click Add.

    The Add a log source window is displayed.

  6. In the Log Source Name field, type a name for your log source.
  7. In the Log Source Description field, type a description for the log source.
  8. From the Log Source Type list, select Cisco Intrusion Prevention System (IPS).
  9. Using the Protocol Configuration list, select SDEE.

    The syslog protocol configuration is displayed.

  10. Configure the following values:

    Table 1: SDEE Parameters

    Parameter

    Description

    Log Source Identifier

    Type an IP address, host name, or name to identify the SDEE event source. IP addresses or host names allow JSA to identify a log file to a unique event source.

    The log source identifier must be unique for the log source type.

    URL

    Type the URL address to access the log source, for example, https://www.mysdeeserver.com/cgi-bin/sdee-server. You must use an http or https in the URL.

    Here are some options:

    • If you are using SDEE/CIDEE (for Cisco IDS v5.x and later), check that /cgi-bin/sdee-server is at the end of the URL. For example, https://www.my-sdee-server/cgi-bin/sdee-server

    • If you are using RDEP (for Cisco IDS v4.0), check that /cgi-bin/event-server is at the end of the URL. For example, https://www.my-rdep-server.com/cgi-bin/event-server

    Username

    Type the user name. This user name must match the SDEE URL user name that is used to access the SDEE URL. The user name can be up to 255 characters in length.

    Password

    Type the user password. This password must match the SDEE URL password that is used to access the SDEE URL. The password can be up to 255 characters in length.

    Events / Query

    Type the maximum number of events to retrieve per query. The valid range is 0 - 501 and the default is 100.

    Force Subscription

    Select this check box if you want to force a new SDEE subscription. By default, the check box is selected.

    The check box forces the server to drop the least active connection and accept a new SDEE subscription connection for this log source.

    Clearing the check box continues with any existing SDEE subscription.

    Severity Filter Low

    Select this check box if you want to configure the severity level as low.

    Log sources that support SDEE return only the events that match this severity level. By default, the check box is selected.

    Severity Filter Medium

    Select this check box if you want to configure the severity level as medium.

    Log sources that support SDEE return only the events that match this severity level. By default, the check box is selected.

    Severity Filter High

    Select this check box if you want to configure the severity level as high.

    Log sources that support SDEE return only the events that match this severity level. By default, the check box is selected.

  11. Click Save.
  12. On the Admin tab, click Deploy Changes.

    The log source is added to JSA. Events that are polled from your Cisco IDS/IPS appliances are displayed on the Log Activity tab of JSA.