Configure SDEE Plugins

Applies to Product: USM Appliance™ AlienVault OSSIM®

Cisco Systems IPS Sensor 5.0 uses the Security Device Event Exchange (SDEE) protocol to specify the format of messages used to collect events generated by certain Cisco security devices. AlienVault supports this type of log collection and USM Appliance captures events specifically from

  • Cisco Network Prevention Systems (IPS)
  • Cisco Network Detection Systems (IDS)
  • Cisco Switch IDS
  • Cisco IOS routers with the Inline Intrusion Prevention System (IPS) functions
  • Cisco IDS modules for routers
  • Cisco PIX Firewalls
  • Cisco Catalyst 6500 Series firewall service modules (FWSMs)
  • Management Center for Cisco Security Agents
  • CiscoWorks Monitoring Center for Security

Working with the SDEE Devices

Each time a new session begins with a SDEE device, USM Appliance provides a subscription ID. (The latest Subscription ID can be found under /etc/ossim/agent/sdee_sid.data.)

To see messages related to the subscription

  1. Connect to the AlienVault Console through SSH and use your credentials to log in.

    The AlienVault Setup menu displays.

  2. On the AlienVault Setup main menu, select Jailbreak System to gain command line access.

    Select Yes when prompted. You will be in the root directory.

  3. Enter

    grep subs /var/log/ossim/agent.log

Normally, when the session finishes, the AlienVault Agent service closes the session automatically. If it does not, you should do it manually.

To close the last session

  • Enter

    python /usr/share/ossim/scripts/closeSDEEsession.py <SubscriptionID>

    If you still have problems, look for the SDEE-related messages in the agent log.

To find SDEE messages in the agent log

  • Enter

    grep SDEE /var/log/ossim/agent.log

Additional Configuration Required Before You Enable an SDEE Plugin

You must configure USM Appliance to accept events from SDEE-capable devices from your USM Appliance assets before you enable the plugin.