cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Cisco IPS SDEE - Log collection does not work

Hi guys,

I am trying to get logs from CISCO IPS SDEE. Unfortunalty nothing is comming

I followed KB74306 and output is

--2015-11-24 20:38:25--  https://xxx.xxx.xxx.xxx/cgi-bin/sdee-server?startTime=1443904687000000000&events=evIdsAlert&maxNbrOf...

Connecting to xxx.xxx.xxx.xxx:443... connected.

WARNING: cannot verify xxx.xxx.xxx.xxx's certificate, issued by `/C=US/O=Cisco Systems, Inc./OU=SSM-IPS10/CN=xxx.xxx.xxx.xxx':

  Self-signed certificate encountered.

HTTP request sent, awaiting response... 401 Unauthorized

Connecting to xxx.xxx.xxx.xxx:443... connected.


Then I followed KB73932 and result is that locally on PC which is that same network I was able to see results but I had to interact with certificate issue reported by Web Browser.

Has anyone idea how to solve it?

Michał

5 Replies
McAfee Employee andy777
McAfee Employee
Report Inappropriate Content
Message 2 of 6

Re: Cisco IPS SDEE - Log collection does not work

Look for an error in /var/log/messages. It should include 'sdeetest'. You could even run sdeetest.pl from the CLI for a possibly better error with something like:

sdeetest -t 1 -h <crisco-IP> -p 443 -d 4 -i cgi-bin/sdee-server -u user -e 'sdfsdfsdfsdfsdfsfsdf'

Replace the IP, username and password. You can find the encrypted password in /etc/NitroGuard/thirdparty.conf on the Receiver. This command also produces debug output.

Re: Cisco IPS SDEE - Log collection does not work

Hi Andy,

I did it and results are following:

wget --auth-no-challenge --no-check-certificate --progress=dot --timeout=90 --tries=2 --user='xxxxxx' --password='xxxxxx'  -O /tmp/104221448886219.data -o /tmp/104221448886219.data.log 'https://xxx.xxx.xxx.xxx:443/cgi-bin/sdee-server?action=getVersions' --secure-protocol=SSLv2

wget --auth-no-challenge --no-check-certificate --progress=dot --timeout=90 --tries=2 --user='xxxxxx' --password='xxxxxx'  -O /tmp/104221448886219.data -o /tmp/104221448886219.data.log 'https://xxx.xxx.xxx.xxx:443/cgi-bin/sdee-server?action=getVersions' --secure-protocol=SSLv3

wget --auth-no-challenge --no-check-certificate --progress=dot --timeout=90 --tries=2 --user='xxxxxx' --password='xxxxxx'  -O /tmp/104221448886219.data -o /tmp/104221448886219.data.log 'https://xxx.xxx.xxx.xxx:443/cgi-bin/sdee-server?action=getVersions' --secure-protocol=TLSv1

Ok

Problem is that I cannot find those Temp file on hard drive.

McAfee Employee andy777
McAfee Employee
Report Inappropriate Content
Message 4 of 6

Re: Cisco IPS SDEE - Log collection does not work

Unfortunately there isn't an error or obvious indicator of something not working in the status message. 

Are you looking at the data using a standard dashboard without filters (like Normalize Dashboard) and setting your time frame to All?

And there's no further mention of the data source in /var/log/messages?

Re: Cisco IPS SDEE - Log collection does not work

Yes I am using standard dashboard and there is not anything in /var/log/mess    

The problem is that I cannot find those files on drive in /tmp/ which are visible in sdeetest.pl listening

-O /tmp/104221448886219.data -o /tmp/104221448886219.data.log

This is some magic

McAfee Employee andy777
McAfee Employee
Report Inappropriate Content
Message 6 of 6

Re: Cisco IPS SDEE - Log collection does not work

The tmp file is removed as it is "processed" I guess. I had hoped for additional information when using the '-d 4' flag to enable the debugging, but I don't have enough info to see the issue (and don't have a Cisco IPS to test with). You may need to open a case with support for this one. You could try to grep -i for sdee in /var/logs to make sure there isn't anything else be written somewhere.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community