Hi halijenn,

Thanks for your prompt response.

I agree, but we can add IronPort as custom device and write custom log parsers for that. I am confused which logs do we need to capture and write parsers as IronPort does not provide message log in one line I mean it break in pieces and maintain MID for each line.

Secondly, I have setup custom device, I received messages but I got "Buffer overflow" error message in IronPort and stop sending logs to CS-MARS.

Can you please advice so as to what could be the cause for this.

I really appreciate if you could advice some interesting things which we can log into CS-MARS from IronPort. Thanks.

What logs are IronPort device sending? syslog messages or snmp traps? Generally MARS pretty much just takes syslog and/or snmp. Other types of logging is normally pretty difficult to parse in MARS, and requires complex custom parser to be written.

I have setup to receive syslog messages from ironport. We configured IronPort to push syslog maillog messages to CS-MARS. It received for a while and it stopped giving error in Ironport something like CSMARS buffer overflow. Below are some messages received from IronPort in CS-MARS.

Parsing error or event type unknown: <22>May 14 12:47:35 MailLog_CSMARS: Info: Message done DCID 61561334 MID 102046326 to RID [1, 2, 3, 4]

Parsing error or event type unknown: <22>May 14 12:47:36 MailLog_CSMARS: Info: MID 102046330 interim AV verdict using Sophos CLEAN

Can you check if anyone has implemented? Thanks.