07-10-2010 05:04 AM
May I know how to configure the syslog format for Cisco mars to display certain column for log fie from other network devices? Thanks for the prompt reply.
07-12-2010 04:02 AM
I am not clear on the outcome you are requesting assistance in implementing. In most instances, CS-MARS simply presents the raw syslog message as received from the reporting in the output of any query with with a result format of "All Matching Event Raw Messages".
If you are asking how to format a reporting devices syslog messages to be successfully received and parsed by CS-MARS, there are two possibilities:
- select the correct device/software details when adding the device to the CS-MARS "Security and Monitor Device List"; this ensure CS-MARS will correctly parse the received syslog message. This is covered in the Configuration Guide for CS-MARS release 6.0:
- use the Device Support Framework to create a custom parser for a device not natively supported by CS-MARS. This is covered in the User Gudie for CS-MARS release 6.0:
Scott
08-15-2010 06:32 AM
Thank for your user guide. May I know how to extract the detailed message (raw data) according to the incident ID?
08-16-2010 04:45 AM
If you click the Incident ID you should be brought to a view of the rule (at the top) that triggered the incident along with the session data (at the bottom) that matched the rule. Within this event data, you should see the name of the device that provided the event. Next to/under the device name should be an icon of a page with '0101' across it. If you click this page, a pop-up window should open that displays the raw message that was received from the reporting device.
Scott
08-16-2010 05:20 AM
I follow the steps on the link below:
under content: Create Device Event Types for a Custom Device Type
I still cannot see the raw data message. Do i need to map the template to the IP address for the device?
After step 9, Once the log template is defined and submitted, you must define a reporting device based on the custom device.
How to define a reporting device based on the custom device?
08-16-2010 05:30 AM
You need to add a reporting device to CS-MARS as usual; navigate to:
ADMIN>System Setup>Security and Monitor Devices
Click Add
In the "Device Type:" drop-down list, choose your newly created custom device. If the device you created is a software-based device, you will first need to choose one of the two options "Add SW security apps on new host" or "Add SW security apps on exiting host". The full process is outlined here:
Scott
08-16-2010 05:42 AM
Hi,
If that device is the existing device, can i create a new device with same IP and apply that template that i create to that new device?
08-16-2010 05:44 AM
You will need to delete the existing device and create a new device if
the device type changes.
Scott
08-23-2010 01:09 AM
Need your help here again. How to monitor those inactive cs-mars reporting device? Is there any function need to be activated?
08-23-2010 03:26 AM
As long as the devices are configured in 'Security and Monitor Devices, CS-MARS will monitor for inactivity (no events received in the previous one hour period).
Scott
08-23-2010 04:23 AM
The devices are configured in 'Security and Monitor Devices.If there is no events received in the previous one hour period ( The following device has not reported events to MARS in 3600 seconds.), it should not reflect as an incident. It is not considered as a problem. Am i right to say that?
08-23-2010 04:27 AM
CS-MARS should create a green severity incident titled,"Inactive CS-MARS
reporting device" for all configured Security and Monitor devices from
which it has not received any raw messages in the previous one hour period.
Scott
08-24-2010 04:44 AM
I have 1 network device which usually will trigger the red incident to the Cisco Mars. Suddenly, it doesn't send out any syslogs to Cisco Mars anymore. There is no changes on the whole network and the Cisco Mars is still able to discover this device by sending the snmp traffic. What could be the reason to cause it happen and any settings is configured wrongly on Cisco Mars?
08-24-2010 04:53 AM
If there are no events arriving at the CS-MARS, the issue may be with
the reporting device. You will need to confirm that the device is
sending the expected events to the CS-MARS.
This can normally be monitored from the CS-MARS CLI using tcpdump:
You should see output of events arriving from the device. If there are
no events arriving, the issue is with the reporting device. If you see
events arriving at the CS-MARS, the issue is with the CS-MARS. Further
troubleshooting would most likely require a service request be opened
with TAC.
Scott
11-03-2010 12:56 AM
To prevent the loss of configuration after rebooting the cisco mars, may i know know is there any commands to save the configuration from putty session?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide