MARS raw data adds extra characters

Unanswered Question
Aug 18th, 2008

Can someone tell me if I need to make a change to how MARS is receiving this log from a PIX 520? Or is there something on the PIX that needs to be changed? I keep getting all these extraneous characters in the log file, which makes it difficult to read. I'm trying to use MARS to replace an older server that's receiving the log file currently.

Thanks, T


172111�Mon Aug 04 07:42:12 CDT 2008�GermaniaFwGCU�0.0.0.0�0�0.0.0.0�0�-1�SNMPv2-SMI::enterprises.9.9.41.2 10.100.14.90 SNMPv2-SMI::enterprises.9.9.41.1.2.3.1.2.0 "20" SNMPv2-SMI::enterprises.9.9.41.1.2.3.1.3.0 5 SNMPv2-SMI::enterprises.9.9.41.1.2.3.1.4.0 "Syslog Trap" SNMPv2-SMI::enterprises.9.9.41.1.2.3.1.5.0 "405001: Received ARP request collision from 192.168.28.90/0006.2925.37ca on interface GB_GRID" SNMPv2-SMI::enterprises.9.9.41.1.2.3.1.6.0 334:17:06:37.00


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mhellman Mon, 08/18/2008 - 14:41

Where did you copy this from in MARS? Some ASCII characters will look funny when displayed in a browser or text editor. The normal column separator in the MARS raw messages, for example, is hex FF. This character will not be displayed properly in your browser or notepad/wordpad.

ttrevino1 Tue, 08/19/2008 - 06:04

I ran the query using the 'retrieve raw messages' option, under System Maintenance, Logging Configuration / Viewing. After the query has run, it gives me the option to download it, which I either save or open with 7-Zip. Either way, it still shows all the extra characters in the text file within Wordpad. Notepad adds even more wierd characters, and using Word doesn't help either.

mhellman Tue, 08/19/2008 - 06:42

That is probably normal then (although I must admit you appear to have multiple delimiters, some of which appear in the middle of the raw message). That's how the raw messages get archived. The format of the "raw message" in the archive is like so on my gen2 system:


25234307492ÿ08/19/2008 14:29:03ÿHOSTNAMEÿ612@<13>Aug 19 09:29:04 hostname.domain.com MSWi


The "ÿ" is actually hex FF and is a field delimiter. The raw message actually starts after the 3rd delimiter. so "612@<13>Aug 19 09:29:04 hostname.domain.com MSWi" is the raw message. This should not have any funky characters unless the SNMP message itself does. The fields before that are internal MARS data.


If you can post the hex output, that would help. I use hexdump on a linux box to do this. A hex editor on Windows can probably do the same.

ttrevino1 Tue, 08/19/2008 - 06:55

I'll have to work on that tomorrow as I'm headed to a conference today. Thanks for the help, I'll post again after I figure out something on a windows hex output.

Actions

This Discussion