RSA Admin

Cisco IDS XML Service - IDS Message Timestamp

Discussion created by RSA Admin Employee on Mar 25, 2008

The timestamps associated with the logs grabbed by the Cisco IDS XML Service appear to be based on the time the service pulled them from the IDS device, rather than the unix timestamp present on each log line. The unix timestamp in the logs are not quite a traditional unix timestamp in that they have some additional digits (only the first ten digits are the unix timestamp). Below is an example log line. Notice it also includes the timezone to correlate the proper time.

 

%IDSSXML-6-2000: ICMP Echo Reply;informational,200.0.0.1,,100.0.0.1,,S1,1206496617566109000,CDT,0,sensorName,null,null,null,null,null,null,null,Attacker,200.0.0.1,Victim,100.0.0.1,Other,1193247818885994341,null,sensorApp,337,-300,null,CDT,null,2000,0,null,null,null,null,null, 

 

Thanks,

 

Colin Grady 

Outcomes