CS-MARS syslog raw file import

r.spiandorello · ‎09-26-2007

Hi, I need to import a raw syslog file of a device generated a few days before CS-MARS installation: how to ?

thank you in advance

pmccubbin · ‎09-26-2007

This is the first time I have heard this request.

I don't think it can be done.

Among other things the time and date would be for events which happened prior to the creation of the database in MARS.

r.spiandorello · ‎09-26-2007

The request come from the replacement of cs-mars 50 with cs-mars 110R.

I can export syslog raw file from 50 model and I need to import to the new 110R (5.2 s.o. version)

mhellman · ‎09-27-2007

Paul's right, it can't be done...at least not without some other application to read in the file and re-send the syslogs. It wouldn't serve much use anyway, last I checked MARS timestamped most events based on when they were received so the data would be all wrong. You might take a look at the 4.3.1 which was just released, it contains some sort of functionality to move data from the old hardware to the new.

http://www.cisco.com/univercd/cc/td/doc/product/vpn/ciscosec/mars/4_3/rn431.pdf

michaelwoolfe · ‎09-28-2007

My only thought is that if you are trying to get the historical data into MARS for trend analysis, you can use a Python script to concatenate the current Archived files from the new MARS and an external connector to the location of the old MARS content which I assume is in a flat file.

You could also use a script to combine the two in a SQL database.