When you configure embedded IDS sensors in your network, it is important to monitor their activity frequently. If the sensors are configured only to generate alarms, you need to see the alarms so that you can take the appropriate action. If the sensors are configured to drop or reset connections in response to an alarm, you should review the logs to learn what took place.
As well, the whole IDS process requires some tuning so that you reduce the number of false positive alarms. Watching the alarm logs helps you determine which ones are false and should be removed from the signature audit.
The following sections step through the two types of alarm collection as they are deployed and monitored.