Apart from ACE I would also like to collect logs from GSS. What syslog server would you recommend with easy installation, monitoring and troubleshooting value, since these are not supported by CSMARS.

Kiwi, SyslogNG, and LogLogic are the only syslog servers that I am aware of which will work with MARS.

Hope that helps answer your question.

Paul

I didn't get it completely. Why do we need the syslog servers to work with MARS.

My question to use syslog server was for those devices that do not have support in MARS.

Is there such feature of using syslog servers with MARS. What additional benefit would it have.

If a device not supported by MARS can send syslog in clear text format, then it can be parsed by MARS using a custom parser.

The customer parser allows you to define new devices and applications in order that they can report to MARS.

The reason why you need the syslog servers to work with MARS is that the more devices you can have reporting to MARS the greater the accuracy of the analysis it provides.

In a nutshell this is how MARS works (with a tip of the cap to Dale Tesch):

The logging data from devices is used in parallel by MARS with the information gleaned from querying network device routing tables, configurations, ARP tables, CAM tables, system probes, and other processes to determine the topology of the network and the location of devices.

After log data is collected and the alert information is analyzed, it is cross-referenced with this topology information to determine its validity and to calculate attack paths.

MARS was built to enhance the common data provided by syslog and SNMP. Once the data from multiple devies is summarized it can be used both as an early warning alert system and as a forensics tool to analyze successful attacks.

Hope this helps.

Paul

So are there three options for devices that are not supported in MARS

1. Send the log data to MARS via custom parser

or

2. Send the log data to syslog server which in turn sends to MARS.

or

3. Combination of the above two

Is that correct ?

No, there are truly only two options for devices which are not natively supported in MARS:

1. Send the log data directly to MARS and analyze it with a custom parser;

2. Send the log data to a syslog server which in turn sends it to MARS, and then analyze it with a custom parser.

Both options require a custom parser. You cannot simply redirect from a syslog server without a custom parser and expect MARS to be able to analyze the data.

Hope this helps.

What is the added benefit of using option 2 if option 1 can be achieved.

Option 2 would require extra effort setting up another syslog server etc.

Thanks.

Option 1 in a large network gives you more flexibility when designing your network. If you network grows and you want to add another MARS box, all you need to do is redirect from the syslog server. Also, if you ever needed to re-ip the MARS box all you would do is change the redirect on your syslog server, instead of changing the configurations on all your networking devices. Lastly, many companies have stringent change management windows which makes it much easier to change a syslog server than it is to schedule changes on multiple networking devices.

Hope this helps.