Cisco ACE & MARS

Answered Question
Jan 28th, 2009
User Badges:


Can Cisco ACE be added to CSMARS.


MARS version is 5.3.2

Correct Answer by Syed Iftekhar Ahmed about 8 years 5 months ago

Not Yet.

Complete list of supported devices can be found at


http://www.cisco.com/en/US/products/ps6241/products_device_support_tables_list.html


Syed

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.7 (3 ratings)
Loading.
cisco_lite Thu, 01/29/2009 - 07:04
User Badges:


Apart from ACE I would also like to collect logs from GSS. What syslog server would you recommend with easy installation, monitoring and troubleshooting value, since these are not supported by CSMARS.

pmccubbin Thu, 01/29/2009 - 08:17
User Badges:
  • Silver, 250 points or more

Kiwi, SyslogNG, and LogLogic are the only syslog servers that I am aware of which will work with MARS.


Hope that helps answer your question.


Paul

cisco_lite Thu, 01/29/2009 - 08:55
User Badges:


I didn't get it completely. Why do we need the syslog servers to work with MARS.


My question to use syslog server was for those devices that do not have support in MARS.


Is there such feature of using syslog servers with MARS. What additional benefit would it have.

pmccubbin Thu, 01/29/2009 - 12:15
User Badges:
  • Silver, 250 points or more

If a device not supported by MARS can send syslog in clear text format, then it can be parsed by MARS using a custom parser.


The customer parser allows you to define new devices and applications in order that they can report to MARS.


The reason why you need the syslog servers to work with MARS is that the more devices you can have reporting to MARS the greater the accuracy of the analysis it provides.


In a nutshell this is how MARS works (with a tip of the cap to Dale Tesch):


The logging data from devices is used in parallel by MARS with the information gleaned from querying network device routing tables, configurations, ARP tables, CAM tables, system probes, and other processes to determine the topology of the network and the location of devices.


After log data is collected and the alert information is analyzed, it is cross-referenced with this topology information to determine its validity and to calculate attack paths.


MARS was built to enhance the common data provided by syslog and SNMP. Once the data from multiple devies is summarized it can be used both as an early warning alert system and as a forensics tool to analyze successful attacks.


Hope this helps.


Paul




cisco_lite Thu, 01/29/2009 - 15:41
User Badges:

So are there three options for devices that are not supported in MARS


1. Send the log data to MARS via custom parser

or

2. Send the log data to syslog server which in turn sends to MARS.

or

3. Combination of the above two


Is that correct ?

pmccubbin Fri, 01/30/2009 - 07:14
User Badges:
  • Silver, 250 points or more

No, there are truly only two options for devices which are not natively supported in MARS:


1. Send the log data directly to MARS and analyze it with a custom parser;


2. Send the log data to a syslog server which in turn sends it to MARS, and then analyze it with a custom parser.


Both options require a custom parser. You cannot simply redirect from a syslog server without a custom parser and expect MARS to be able to analyze the data.


Hope this helps.

cisco_lite Fri, 01/30/2009 - 15:07
User Badges:

What is the added benefit of using option 2 if option 1 can be achieved.


Option 2 would require extra effort setting up another syslog server etc.


Thanks.

pmccubbin Sun, 02/01/2009 - 07:10
User Badges:
  • Silver, 250 points or more


Option 1 in a large network gives you more flexibility when designing your network. If you network grows and you want to add another MARS box, all you need to do is redirect from the syslog server. Also, if you ever needed to re-ip the MARS box all you would do is change the redirect on your syslog server, instead of changing the configurations on all your networking devices. Lastly, many companies have stringent change management windows which makes it much easier to change a syslog server than it is to schedule changes on multiple networking devices.


Hope this helps.


 

Actions

This Discussion