08-22-2007 11:23 AM - edited 03-09-2019 06:39 PM
Currently we are using VMS to run daily reports on our severity high events on our IPS sensors. We are holding out on going to CSM until we get this style report moved onto our MARS appliance. Has anyone created a report in MARS for severity high events that includes, source ip and port, destination ip and port, timestamp, and event type that can be exported to csv? I tried all matching sessions with custom columns and that will output html correctly but I hit a bug when you try to output .csv. (Cisco states the bug should be fixed by year end)
I am open to any thoughts or recommendations for using MARS to generate reports to give to SOX auditors in regards to IPS events.
Thanks
08-24-2007 05:37 AM
This shouldn't be difficult, so maybe I'm not understanding what you need. I just created a "custom columns ranked by time" report that shows only IPS red severity with csv output and it looks fine. Here is the format of my results:
Id,EventSourceAddress,EventSourcePort,EventDestinationAddress,EventDestinationPort,Protocol,ReceiveTime
34891055456,206.195.198.21,2803,162.131.63.109,80,6,"Aug 24, 2007 8:29:42 AM CDT"
08-24-2007 05:42 AM
hmmm...just noticed something. No event type. The CSV output has always been a little odd, because it includes different fields than the HTML output (different that what was selected too). I'll try again.
08-24-2007 05:44 AM
Yeah thats the bug (now they are calling it a feature request) I am hitting. The HTML output has everything I need however we output to CSV for archiving for SOX. Thanks
08-24-2007 07:17 AM
It's all coming back to me. I think there's been issues with the CSV output for a long time...I vaguely remember looking at the CSV output and thinking "hmmm, totally different columns than the HTML". I didn't care at the time because we didn't use it CSV output. feature request? yeah, okay. What kind of design results in different row-level data when switching output format from HTML to CSV? You could use the raw data if MARS didn't ALSO have a bug where it completely horked up IPS raw messages.
08-24-2007 07:21 AM
FWIW, we process/massage HTML reports from MARS on an external system. There are lots of tools that do this (we use Perl) but it wasn't too difficult.
08-24-2007 07:22 AM
Thanks for the suggestion. I think we are going to look at other options since MARS can't seem to do what we want.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: