API - Cisco IDS/IPS | LogRhythm Documentation

Since Cisco introduced its first Intrusion Detection System (IDS), the company has progressively developed more sophisticated protocols for communicating events to remote users and applications. Early Cisco IDS systems supported the POP (Post Office Protocol) standard, which was replaced by the proprietary Remote Data Exchange Protocol (RDEP).

With the release of Cisco's Intrusion Prevention System (IPS) 5.0 software, the company published a new open standard called Security Device Event Exchange (SDEE), sometimes referred to as RDEP2, that supports subscription-based remote event collection. The RDEP protocol was deprecated in IPS version 6.0 and may not be supported in the future. Therefore, LogRhythm has adopted the SDEE protocol for event collection from Cisco IDS/IPS sensors.

Prerequisites

To collect event messages from a Cisco IDS/IPS device, LogRhythm release 4.1 or higher must be installed. The Windows version of the LogRhythm Agent must be used as the collection point; Linux and UNIX agents do not support the Cisco IDS/IPS message source.
The Windows host system that will be used as the collection point must be able to establish a secure HTTPS connection to the sensor. You can verify this by using a web browser on the Windows host to connect to the Cisco sensor.
A System Monitor Pro Agent is required to collect event messages from one or more Cisco IDS/IPS sensors.

Configure the Cisco Sensor

Before a Cisco IDS/IPS sensor allows a remote user or application to collect events, the sensor's web server must be configured properly. This section lists the applicable sensor settings. Consult the appropriate version of your Cisco documentation for instructions about how to verify and/or modify these settings.

The Cisco SDEE service operates as a web server on the sensor. To configure the Cisco sensor to accept secure HTTPS connections, ensure that the following sensor settings have been configured:

Cisco IPS Setting	Description
Allowed Hosts	Add the LogRhythm Windows Agents host information.
Users	Ensure a user name is available in the Administrator (not recommended) or Viewer (recommended) role.
Enable TLS/SSL	Ensure this setting is enabled.
Web Server Port	Select a port for the HTTPS listener. The default port is 443.

Configure the sdee.ini File

Copy the sdee.ini configuration file to the LogRhythm Agent config directory: C:\Program Files\LogRhythm\LogRhythm System Monitor\config\sdee.ini

If you intend to use this agent to collect event messages from more than one Cisco IDS/IPS device then you need to make a separate copy of this file for each device. You may rename the file if necessary. In addition, you need to create a Log Message Source type for each device.

The following settings are specified in that file:

Setting	Default Value	Description
Host	CHANGE_THIS	Cisco IPS sensor host IP address
HostPort	443	Cisco IPS sensor host IP address
HttpsProtocol	SSL3	Cisco IPS web server HTTPS protocol. Can be SSL3 or TLS
URISchema	https	URI schema used for constructing the URL for the sensor connection. Can be https or http
HostUsername	CHANGE_THIS	Cisco IPS username
HostPassword	CHANGE_THIS	Password for Retina CS user name. The password must be encrypted using the lrcrypt command line utility. Usage: lrcrypt [-e passwordtoencrypt] [path\inifile] For more information on how to use the LogRhythm Encryption Utility, see .
EventTypes	CHANGE_THIS	Enter one or more event types separated by commas (evAlert, evError, evStatus, evShunRqst) to collect only the event types you have specified. Leave this setting blank to collect all available event types.
AlertSeverities	CHANGE_THIS	Enter one or more alert severity levels separated by commas (informational, low, medium, high) to collect only the specified levels. Leave this setting blank to collect all available alert severity levels. This setting has no effect when alert events are filtered out by the EventTypes setting.
ErrorSeverities	CHANGE_THIS	Enter one or more error severity levels separated by commas (warning, error, fatal) to collect only the specified levels you specify. Leave this setting blank to collect all available error severity levels. This setting has no effect when error events are filtered out by the EventTypes setting.
MustHaveAlarmTraits	CHANGE_THIS	Enter the alarm traits to include by using one of these formats: A range of alarm traits: 0-31 A comma-separated list of alarm traits: 1,3,9,15,31 Leave this setting blank to prevent filtering alarms by trait. The effects of the MustHaveAlarmTraits and MustNotHaveAlarmTraits settings are combined.
MustNotHAveAlarmTraits	CHANGE_THIS	Enter the alarm traits to exclude by using one of these formats: A range of alarm traits: 11-20 A comma-separated list of alarm traits: 10,19,23 Leave this setting blank to prevent filtering alarms by trait. The effects of the MustHaveAlarmTraits and MustNotHaveAlarmTraits settings are combined.
StartTime	CHANGE_THIS	Enter the date and time of the oldest event that you wish to collect from the sensor. Leave this setting blank to collect all events stored on the sensor’s hard drive. This setting allows you to filter out historical events that may be months old and of no value. When used, this setting must be entered using the format yyyy-mm-ddThh:mm:ss and the time must be in UTC time. Note that this format requires two-digits for all date and time values except the year, which must be four digits long. For example: StartTime=2008-10-01T9:30:00 INCORRECT: Hour is one digit StartTime=2008-10-01T09:30:00CORRECT: Hour is two-digits

After you configure the device, you must also configure LogRhythm according to the instructions provided on the overview page of this guide. Only Global Admins or Restricted Admins with elevated View and Manage privileges can take this action.

The name of the log message source is API - Cisco IDS/IPS. In addition, when configuring this log source:

For Log Message Processing Mode, select MPE Processing Enabled, Event Forwarding Enabled.
For Log Message Processing Engine (MPE) Policy, select LogRhythm Default.
On the Flat File Settings tab, enter the following:
- File Path. <path to log file, including the file name and extension>