sorry I originally posted this in the IDS forum (not a good day....)
I have a Kiwi syslog server set up in MARS as a generic syslog relay.
According to the latest (Dec 06?) MARS docs, this is how the Kiwi server itself should be configured to then forward messages to MARS:
? Send with RFC 3164 header information ? Selected
? Retain the original source address of the message ? Cleared.
If I set veither (or both) of these options as outlined in the doc none of the syslog messages that arrive at Kiwi appear to get sent to / processed by MARS .
If I clear the RFC 3164 header field, and pick the option to retain the original source address, the messages show up on MARS when I query the device (i.e. the syslog relay).
I did set up the sender (a Cisco router) as a reporting device in MARS - the syslogs arrive at Kiwi, but I only see them on MARS if I do exactly the opposite of what the manual says on the Kiwi side.
what am I missing? What is MARS expecting to see from Kiwi?