Use the global configuration mode command
ip audit notify to specify the method(s) of event
notification. If alarms are to be sent to a Cisco Secure IDS Director, use the
nr-director keyword in the command syntax. If alarms are to be
sent to a Syslog server, use the log keyword in the command
syntax. The two commands can be used together to log to both devices. Use the no
version of this command to return the number to the default setting. The syntax
is
Rtr1(config)#ip audit notify {nr-director | log}
Rtr1(config)#no ip audit notify {nr-director |
log}
This command was introduced in IOS 12.0(5)T. The default is to
send messages in syslog format.
The following example directs logging to both the Cisco Secure IDS
Director and a Syslog server.
Rtr1(config)#ip audit notify nr-director
Rtr1(config)#no ip audit notify log
While they’re not a part of IDS, the following commands must also
be issued to identify the Syslog server, using the IP address or host name and
direct logging input to the server.
Rtr1(config)#logging 192.168.1.10
Rtr1(config)#logging on
Without these commands, the output would be displayed on the
router console and would look like the following output. Notice the output
includes the IDS signature detected, plus the source and destination IP
addresses.
01:04:33: %IDS-4-ICMP_ECHO_SIG: Sig:2004:ICMP Echo Request - from 192.168.1.10 t o 192.168.2.1
01:04:34: %IDS-4-ICMP_ECHO_REPLY_SIG: Sig:2000:ICMP Echo Reply - from 192.168.2. 1 to 192.168.1.10
The previous signatures triggered are
Figure 7-2 shows what the entries might look like in
a Syslog server. The sample uses a free Syslog daemon from Kiwi Enterprises.
If messages are sent to the Cisco Secure IDS Director, then
it’s necessary also to configure the Cisco Secure Director’s Post Office
transport parameters for both the router (using the ip audit po
local command) and the Cisco Secure IDS Director (using the ip
audit po remote command).
Sections
Comments (0 posted)
Syndication
