Thanks Farrukh - I would have guessed AIX is enough of a chunk of the enterprise market share that Cisco would be interested in supporting it.

This is a disappointment...

I agree with this as well. I am also very surprised that there are no plans for HP-UX support in MARS. I have been told that HP-UX doesn't use standard syslog formats for their messages or for forwarding syslog, but it is a large enough market that I would have expected support for it.

Bummer.

When you think about it, Cisco really hasn't added much in the way of support for non-Cisco devices. Compare this aspect of MARS to any leading SIM on the market...IMHO the product is w-a-y behind. Maybe you get what you pay for...I haven't priced out the other solutions in a while.

http://www.cisco.com/en/US/docs/security/security_management/cs-mars/4.3/compatibility/local_controller/dtlc43x.html

http://www.netforensics.com/products/supported_products/

http://www.arcsight.com/collateral/ArcSight_Supported_Products.pdf

http://www.netiq.com/products/sm/default.asp?id=SystemsSupported

http://www.rsa.com/rsasecured/results.aspx?program=116

We have been asking for an AIX parser for as long as we've had MARS, which is pretty much since Cisco started selling it. Every single one of the products listed above states that it has AIX support.

I believe Cisco is hoping this general deficiency is rectified somewhat by the upcoming release which will allow users to more freely share (i.e. export, etc) custom parsers. I like some aspects of that (more likely to have a parser for niche applications), but ultimately IMHO the main reason for having a SIM in the first place is so you don't have to parse the events yourself. Hell, that's a big part of what I'm paying for. I don't have the resources to create and keep updating parsers. I thought that's why maintenance was so expensive?

thanks Matthew for the links and everyone for the add'l supporting voices

To add a bit of grumble, at the recent RSA concerence a company called SenSage hung out a shingle to advertise the fact that they "complement" the MARS solution. Curious. I'm not 100% convinced that they have the same correlation strengths as other solutions, (not sure they don't either as I have never trialed this solution, nor am I trying to promote it). Even if it was more log management tool than SIM, they seemed to fill some of the MARS gaps nicely. The take-away is that MARS appears to be out-gunned in some very important areas (e.g. recognizing - or at least taking an intelligent guess at - device types while parsing unknown logs, great archiving and storage facilities, real-time ETL (e.g. every event gets transformed and copied, on the fly, into SQL tables for some very smooth and intuitive querying), support for just about every device type out there, etc....

Recognizing that these others may also have their limitations, and some care and feeding required as well for these add'l features, the point is that these vendors are picking up and capitalizing on some of the really broken pieces of the MARS solution. You nailed it - this is supposed to be a SIM - even a fantastic event correlation engine is moot if it can't correlate half the boxes on the network, if the low level workings (like if/how/when rules actually fire and behave, etc.) are not clearly documented or understood, etc. (how MARS works under the hood is anything but intuitive, imho - and btw, I think Matthew it's been some of your posts on CS-MARS blogs that have helped me understand some of these details).

The boxes here are approaching end of life - there is some incentive to gut MARS before it gets too entrenched