17-21
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2
OL-29168-01
Chapter 17 Administrative Tasks for the Sensor
Configuring Events
Displaying Events
Note
The Event Store has a fixed size of 30 MB for all platforms.
Note
Events are displayed as a live feed. To cancel the request, press Ctrl-C.
Use the show events [{alert [informational] [low] [medium] [high] [include-traits traits]
[exclude-traits traits] [min-threat-rating min-rr] [max-threat-rating max-rr] | error [warning]
[error] [fatal] | NAC | status}] [hh:mm:ss [month day [year]] | past hh:mm:ss] command to display
events from Event Store. Events are displayed beginning at the start time. If you do not specify a start
time, events are displayed beginning at the current time. If you do not specify an event type, all events
are displayed.
The following options apply:
•
alert—Displays alerts. Provides notification of some suspicious activity that may indicate an attack
is in process or has been attempted. Alert events are generated by the Analysis Engine whenever a
signature is triggered by network activity. If no level is selected (informational, low, medium, or
high), all alert events are displayed.
•
include-traits—Displays alerts that have the specified traits.
•
exclude-traits—Does not display alerts that have the specified traits.
•
traits—Specifies the trait bit position in decimal (0 to 15).
•
min-threat-rating—Displays events with a threat rating above or equal to this value. The default is
0. The valid range is 0 to 100.
•
max-threat-rating—Displays events with a threat rating below or equal to this value. The default
is 100. The valid range is 0 to 100.
•
error—Displays error events. Error events are generated by services when error conditions are
encountered. If no level is selected (warning, error, or fatal), all error events are displayed.
•
NAC—Displays the ARC (block) requests.
Note
The ARC is formerly known as NAC. This name change has not been completely
implemented throughout the IDM, the IME, and the CLI.
•
status—Displays status events.
•
past—Displays events starting in the past for the specified hours, minutes, and seconds.
•
hh:mm:ss—Specifies the hours, minutes, and seconds in the past to begin the display.
Note
The show events command continues to display events until a specified event is available. To exit, press
Ctrl-C.