cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
862
Views
0
Helpful
1
Replies

Mars add a custom event to known device

Hello,

I see that MARS allow you add a custom device, parse its logs and create a new event. But what about if I need to add a new event to known device ?

This a possible scenario:

I have a router 2821 with 12.4 IOS version, I register it like Cisco IOS 12.2. I want to see who and from which machine an possible attacker has just failed the access.
From my router I get this logs:
<188>1908: May 31 12:34:36.492: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ciccio ] [Source: 10.xx.xx.xx] [localport: xx] [Reason: Login Authentication Failed] at xxxx

MARS classified this log like "Generic IOS Syslog". So this is means this log was parsed by MARS, but MARS parsed what I need ? My answer is no! Because I cannot find a way to make a report which report me the Source address (10.xx.xx.xx) and user(ciccio). Can you confirm that ?

Now, how I can tell to MARS: "Look when you receive this kind of events, parser Sender ip, Source ip and User name? In the same way I do with custom devices.

I hope I have been clear, sorry for my English.
Thank you in advence, best wishes Antonello.

1 Reply 1

Scott Fringer
Cisco Employee
Cisco Employee

Anotonello;

  CS-MARS release 6.0 allows for extending an existing device parser with your own event types.  You can find out more here:

http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/user/guide/combo/cfgCustm.html

  You could create a report using a keyword query that searches for "SEC_LOGIN-4-LOGIN_FAILED".  That report could then provide all matching raw messages which should contain the details you are interested in.

Scott