Cisco Security Manager logging SDEE messages from IPS in Event viewer
Cisco Security Manager +4 (I was trying 4.0.1 at the time of this post) has an "event viewer" feature thats actually pretty good! It can receive syslog and SDEE messages, parse them and display them in the nice gui for you. Syslog is pretty straight forward to configure since you just set the CSM server as the receiving host. For SDEE messages these are pulled by CSM from the IPS device using https://<myIPSdevice>/cgi/bin/sdee-server
For CSM to be able to successfully pull the messages from the IPS it must be an "allowed host" under Platform > Device Admin > Device Access > Allowed Hosts. This cant either be the explicit IP of CSM or a subnet containing CSM. Now you can RDP onto the CSM box itsself and try to connect to https://<myIPSdevice>/cgi/bin/sdee-server
if this doesnt work theres no point going further. If this works but your still not seeing the IPS messages in your event manager check the following file CSCOpx\MDC\log\operation\Vmsevmgr.log
I had the following issue highlighted in this log where the self signed certificate had expired
26-Jan-2012 13:57:11 ERROR (EventingTrustManager.java:122) [SDEE Device Poll-0] - SSL Handshake Error occured while certificate validation : The certificate for the device m00nie_IPS has expired. Verify the time settings on both the device and Security Manager Server if you feel this error is not valid. You may need to generate a new certificate on the device if the certificate has expired.
26-Jan-2012 13:57:11 ERROR (SdeeDevice.java:441) [SDEE Device Poll-0] - 10.1.1.1: HTTP error or exception<br />
26-Jan-2012 13:57:11 WARN (SdeeDevice.java:286) [SDEE Device Poll-0] - in pollEvents call to getSubscriptionEvents() returned 30<
Once this had been regenerated ( Device manager > Configuration > Sensor Management > Server Certificate > Generate Certificate )
I had the following error in the Vmsevmgr.log file
26-Jan-2012 14:05:11 ERROR (EventingTrustManager.java:122) [SDEE Device Poll-0] - SSL Handshake Error occured while certificate validation : Mismatch in server certificate thumbprint. Stored thumbprint: 6f760d4a6ee131c9cff2365gfg490, received thumbprint: deab084554a1f9d8c18782977d6f<br />
26-Jan-2012 14:05:11 ERROR (SdeeDevice.java:441) [SDEE Device Poll-0] - 10.1.1.1: HTTP error or exception<br />
26-Jan-2012 14:05:11 WARN (SdeeDevice.java:286) [SDEE Device Poll-0] - in pollEvents call to getSubscriptionEvents() returned 30
Obviously the certificate hashes changed since the cert was regenerated. So Device properties > Credentials > Authentication Certificate Thumbprint > Accept
. The Vmsevmgr.log should now show successful collection of SDEE messages and they should be immediately visible in the event viewer :)
m00nie