03-06-2007 08:39 AM - edited 03-10-2019 03:29 AM
hi -
I have a Kiwi syslog server set up in MARS as a generic syslog relay.
According to the latest (Dec 06?) MARS docs, this is how the Kiwi server itself should be configured to then forward messages to MARS:
? Send with RFC 3164 header information ? Selected
? Retain the original source address of the message ? Cleared.
If I set veither (or both) of these options as outlined in the doc none of the syslog messages that arrive at Kiwi appear to get sent to / processed by MARS .
If I clear the RFC 3164 header field, and pick the option to retain the original source address, the messages show up on MARS when I query the device (i.e. the syslog relay).
I did set up the sender (a Cisco router) as a reporting device in MARS - the syslogs arrive at Kiwi, but I only see them on MARS if I do exactly the opposite of what the manual says on the Kiwi side.
?????
what am I missing? What is MARS expecting to see from Kiwi?
thanks
-randy
Solved! Go to Solution.
03-06-2007 12:19 PM
That's the theory anyway. Make sure you click activate after adding the device. You should test with a device you know you can force events on (via failed login, whatever). I see you're having a similar issue where stange characters are showing up in the output (see the "?" characters). I don't know if this has an impact or not, but I've seen it before in our MARS as well.
03-06-2007 09:58 AM
I didn't read your message well enough. It's probably normal that when you don't include the header field that the events show up as coming from the kiwi server. It looks like the header field is used by csmars to determine which reporting device originated the message.
Use the settings outline in the guide:
then start troubleshooting. make sure you "activate" any device changes (i.e. when modifying the kiwi reporting device or adding a router reporting device).
03-06-2007 10:54 AM
thanks - but that's the same doc I followed.
cannot seem to get MARS to accept / parse the events from Kiwi properly.
03-06-2007 11:02 AM
When you use the settings provided in the doc:
have you verified that the events are being forwarded? Log into the CSMARS via SSH and use tcpdump:
[pnadmin] tcpdump host
Do the events show up in an "unknown event report" query? What do they look like?
03-06-2007 11:39 AM
in the process of trying that now - thanks for the help....
03-06-2007 12:15 PM
got a couple events showing up with query on "unknown reporting device":
eg:
"unknown reporting IP: 172.22.0.49, <157>Mar 6 14:56:48 172.22.0.49 Ki?wi_Syslog_Daemon %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Ac?cess1, changed state to up"
so they are showing up at MARS as "unknowns" -- it appears that Kiwi adds the timestamp and hostname info e.g. "Mar 6 14:56:48 172.22.0.49 Ki?wi_Syslog_Daemon" to the message.
So defining a reporting device based on the IP shown in the add'l header (the original source IP) should be all I need to do (tried this but will have to troubleshoot some more...)
03-06-2007 12:19 PM
That's the theory anyway. Make sure you click activate after adding the device. You should test with a device you know you can force events on (via failed login, whatever). I see you're having a similar issue where stange characters are showing up in the output (see the "?" characters). I don't know if this has an impact or not, but I've seen it before in our MARS as well.
03-06-2007 12:32 PM
yeah not sure what's up with the add'l characters - hope that's not a symptom of some other weirdness on MARS
I'll try again to set up a source device and see what happens from there - I'll post the results here ASAP
many thanks for the help
03-07-2007 08:58 AM
I'm at the point where I have a single device (router) defined as the source - that router syslogs to Kiwi - Kiwi relays to MARS - MARS reports / alarms on the event with the origina source /reporting device info intact. Most excellent.
Last remaining issue is a bulk load of several (similar) source devices - this is now causing me grief - I started another thread hoping for some feedback.
thanks very much for your replies and your help with this one
-randy
03-06-2007 11:34 AM
Yeah I pretty much the same issue, I switched to SNARE and forwarded the logs without a hitch.
03-06-2007 01:56 PM
we use snare to push event logs from a couple of windows boxes but not (yet?) for relaying.
is this the same snare agent in both scenarios?
thanks
-randy
03-06-2007 02:09 PM
I would recommend opening a service request with Cisco and really trying to get this working before going the Snare route. I'm not exactly sure how that would work but either way it adds [what should be] unnecessary complexity. Snare itself has plenty of problems.
03-07-2007 06:11 AM
So are saying that kiwi is the best option and not snare? Please elaborate on specifics, becasue if thats the case then I would not mind using kiwki if he can get it to work properly also.
03-07-2007 06:23 AM
We're not on the same page. I'm not even sure what you're talking about with respect to Snare. Snare is typically used to forward [via syslog] events from a single reporting device, like a windows box. The OP is talking about forwarding events from an already existing syslog server (one that receives events from many devices already). AFAICT, Cisco only supports syslog forwarding from syslog-ng and kiwi.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: