Cisco Systems IPS 7.1 Home Security System User Manual


  Open as PDF
of 1042
 
17-24
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 17 Administrative Tasks for the Sensor
Configuring Events
Configuring Events
This section describes how to display and clear events from the Event Store, and contains the following
topics:
Displaying Events, page 17-24
Clearing Events from the Event Store, page 17-27
Displaying Events
Note The Event Store has a fixed size of 30 MB for all platforms.
Note Events are displayed as a live feed. To cancel the request, press Ctrl-C.
Use the show events [{alert [informational] [low] [medium] [high] [include-traits traits]
[exclude-traits trai ts] [min-threat-rating min-rr] [max-threat-rating max-rr] | error [warning]
[error] [fatal] | NAC | status}] [hh:mm:ss [month day [year]] | past hh:mm:ss] command to display
events from Event Store. Events are displayed beginning at the start time. If you do not specify a start
time, events are displayed beginning at the current time. If you do not specify an event type, all events
are displayed. The following options apply:
alert—Displays alerts. Provides notification of some suspicious activity that may indicate an attack
is in process or has been attempted. Alert events are generated by the Analysis Engine whenever a
signature is triggered by network activity. If no level is selected (informational, low, medium, or
high), all alert events are displayed.
include-traits—Displays alerts that have the specified traits.
exclude-traits—Does not display alerts that have the specified traits.
traits—Specifies the trait bit position in decimal (0 to 15).
min-threat-rating—Displays events with a threat rating above or equal to this value. The default is
0. The valid range is 0 to 100.
max-threat-rating—Displays events with a threat rating below or equal to this value. The default
is 100. The valid range is 0 to 100.
error—Displays error events. Error events are generated by services when error conditions are
encountered. If no level is selected (warning, error, or fatal), all error events are displayed.
NAC—Displays the ARC (block) requests.
Note The ARC is formerly known as NAC. This name change has not been completely
implemented throughout the IDM, the IME, and the CLI for Cisco IPS 7.1.
status—Displays status events.
past—Displays events starting in the past for the specified hours, minutes, and seconds.
hh:mm:ss—Specifies the hours, minutes, and seconds in the past to begin the display.
 previous next