Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1281
Views
5
Helpful
3
Replies

Windows Servers donot send Llogs to MARS

talha_490
Level 1
Level 1

‎08-25-2010 01:10 PM

I have my Windows server connected with the following configuration but it does not send any logs.

I have atttached the snapshots also

Override detected DNS name with :  ----> The ip address of the server

Destination snare server address : ----> the ip address of the syslog

destination port 514

enable syslog header ---> Yes

Syslog facility --> Syslog

Syslog Priority  ---> Information

One more question when we are adding the server in MARS, On the bottom of the page under Reporting and access Ip address, there is an option

Enter interface information IP address, I have given the ip address of the server at eth0 which is the same ip address  as mentioned in reporting and

access ip address of the server

Labels:
Preview file
208 KB
Preview file
167 KB
Preview file
41 KB
0 Helpful
3 Replies 3

Scott Fringer
Cisco Employee
Cisco Employee

‎08-27-2010 05:34 AM

Within the CS-MARS configuration did you set the device's 'Logging Info' to "Pull" or "Receive"?

Scott

0 Helpful

talha_490
Level 1
Level 1
In response to Scott Fringer

‎08-31-2010 04:51 AM

Yes i am receiving the logs. But i do not know why the Systems takes some

time for sending the logs.

Muhammad Talha Iqbal Ghouri

Information System Security Architect

GBM - General Marketing and Services Representative for IBM WTC

P.O. Box 819, Manama, Bahrain

T: +973-17584329 Fax: +973-17584334

Mob: +973-39788659 email: ghouri@bh.gbm.ihost.com

http://www.gbm4ibm.com

|

0 Helpful

Scott Fringer
Cisco Employee
Cisco Employee
In response to talha_490

‎08-31-2010 05:24 AM

There could be many factors on the local Windows system which impact the performance of the Snare agent.  You would need to monitor the Windows systems and see if they are sending the events when they happen, if they are not the issue is with the operation of Snare. This can be performed by running Wireshark on the Windows host and watching communication between the host and the CS-MARS.

If the messages are being sent when they happen, you need to monitor the CS-MARS and verify they are arriving as expected.  This can be performed by running 'tcpdump' on the CLI of the CS-MARS and monitoring communication between the host in question and CS-MARS.

Depending on where the delay is occurring you would then need to troubleshoot Snare for client-side delays.   If the events are arriving at teh CS-MARS when expected, open a service request witch Cisco TAC to troubleshoot CS-MARS more closely.

Scott

Customers Also Viewed These Support Documents