E-102
Cisco Intrusion Prevention System Appliance Hardware Installation Guide for IPS 7.1
OL-24002-01
Appendix E Troubleshooting
Gathering Information
originator:
hostId: sensor
appName: mainApp
appInstanceId: 2215
time: 2011/01/08 02:41:00 2011/01/08 02:41:00 UTC
controlTransaction: command=getVersion successful=true
description: Control transaction response.
requestor:
user: cids
application:
hostId: 64.101.182.101
appName: -cidcli
appInstanceId: 2316
evStatus: eventId=1041526834774829056 vendor=Cisco
originator:
hostId: sensor
appName: login(pam_unix)
appInstanceId: 2315
time: 2011/01/08 02:41:00 2011/01/08 02:41:00 UTC
syslogMessage:
description: session opened for user cisco by cisco(uid=0)
Clearing Events
Use the clear events command to clear the Event Store.
To clear events from the Event Store, follow these steps:
Step 1 Log in to the CLI using an account with administrator privileges.
Step 2 Clear the Event Store.
sensor# clear events
Warning: Executing this command will remove all events currently stored in the event
store.
Continue with clear? []:
Step 3 Enter yes to clear the events.
cidDump Script
If you do not have access to the IDM, the IME, or the CLI, you can run the underlying script cidDump
from the service account by logging in as root and running /usr/cids/idsRoot/bin/cidDump. The path of
the cidDump file is /usr/cids/idsRoot/htdocs/private/cidDump.html. cidDump is a script that captures a
large amount of information including the IPS processes list, log files, OS information, directory
listings, package information, and configuration files.
To run the cidDump script, follow these steps:
Step 1 Log in to the sensor service account.
Step 2 Su to root using the service account password.
Comments to this Manuals