Linux and MARS

Unanswered Question
Nov 13th, 2007
User Badges:

Hello there,

i hope you help find a resolution for this:

I have a MARS 50, and i tried to add a Linux to send syslog messages to it. I added it, i can see the linux int the topology window.

I run a nmap scan on the linux, i get a lot of syslog messages on the linux console because of the nmap scanning, but the MARS doesn't show me any incidents.


I added the Linux host under Admin->Security and Monitor Devices -> Add -> Device Type: Add SW security apps on new host. Then i configured the ip, i chose Linux as the operating system and "Rceive" at the Logging Info.


I also configured the Linux to send syslog messages to MARS:

i added in the /etc/syslog.conf file, the next line:

*.debug @mars_ip


Why don't i get messages from Linux?


Thank you for your time,

Costin


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mhellman Tue, 11/13/2007 - 05:55
User Badges:
  • Blue, 1500 points or more

You don't mention which version of Mars you're running, but take a look at this bug:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsj45065&from=summary


Regardless, Mars does not parse Linux syslog all that effectively. Or Solaris for that matter. iptables entries, which I suspect is what you're referring to, are parsed as generic events.

costin.vilcu Tue, 11/13/2007 - 06:14
User Badges:

Thank you for the reply,


The version is the last: 4.3.1


Generic events means that i shoul edit the /etc/syslog.conf file different that *.debug ?

something like *.event @ip_Mars ?

I don't really know the sintax for Linux, but from the Cisco point of view debug syslog massages include all other messages (informational, alert, warning etc) so i would expect that also for linux.


Again on the Linux console i see all the messges generated because of the nmap scan, but on the Mars, either they are not received or the Mars doesn't know to parse them


Or i am doing something wrong...



Thank you again,


Costin

mhellman Tue, 11/13/2007 - 06:20
User Badges:
  • Blue, 1500 points or more

I sounds like you're doing everything right, it's just that Mars hasn't been configured to parse and understand those particular log entires. They will get parsed as "generic linux event". If you aren't even seeing the events in Mars, then something else is going on and we can help you with that too, just let us know.


The way to test this is to run a "real-time" query in Mars for the Linux box(query type = all matching events). See:

http://www.cisco.com/en/US/products/ps6241/products_user_guide_chapter09186a0080546c0a.html#wp1049921


costin.vilcu Tue, 11/13/2007 - 07:00
User Badges:

Hi Matthew,


i did the real-time querry for the traffic from Linux to Mars: nothing


I will try this again tommorow with another linux box and let you know if something works.

Thanks again,


Costin

mhellman Tue, 11/13/2007 - 07:18
User Badges:
  • Blue, 1500 points or more

Nothing huh? Let's try this instead. Login as pnadmin on the MARS box and start a tcpdump to verify that you're at least getting some syslog from the Linux box:


tcpdump host linuxhost1 and port 514



Now login to the linux box and run the following bash script(this will create 20 syslog messages that should get forwarded to MARS):


#!/bin/bash

for ((i=1;i<=20;i++)); do

/usr/bin/logger auth.critical -d SYSLOG MESSAGE $i

sleep 1

done

Actions

This Discussion