MARS relay to 3rd party "collector"

Unanswered Question
Jan 29th, 2009
User Badges:

We're experimenting with the option to have MARS relay certain syslogs to another box. If we do this, does this kill / bypass the local log parsing / analysis on MARS - i.e. does MARS ignore any logs that are relayed to another system?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
randytoni Thu, 01/29/2009 - 07:35
User Badges:

ok - I re-read the docs for 4.3 and 6.0 and it appears that the MARS box will process the logs as per usual, with some other limitations around the relay process. But if anyone cares to confirm this, thanks in advance....

rajett Thu, 01/29/2009 - 09:37
User Badges:
  • Cisco Employee,

MARS does not ignore the logs it forwards but there are limitations to the forwarding. Watch your CPU load and be aware that it only forwards syslogs, not RDEP/SDEE IPS logs, Oracle, or RPC gathered Windows logs.

randytoni Thu, 01/29/2009 - 15:49
User Badges:

rajett - thank you once again for your prompt replies - much appreciated

troy.aden Thu, 02/26/2009 - 09:18
User Badges:

Hello there, this is related enough to the context of your thread that I am thinking it will be alright to post here. If not, I apologize in advance. My question relates to MARS forwarding logs to a collector running syslog-ng. I am wondering if there is a way to retain the original source IP info in the syslog messages that MARS forwards to the collector? I have tested it and all logs forwarded from MARS to syslog-ng have the source address of the MARS appliance instead of the originating source of the syslog data. Is there any way around this short of having dual syslog servers configured on every Cisco syslog reporting device?

Thanks in advance!

randytoni Thu, 02/26/2009 - 10:19
User Badges:

I'm sure others (rajett?) will clarify - but fwiw all I can say is that we're probably not going to use the relay feature for that exact reason. I can't see anything in the MARS configs or docs that makes this source IP preservation possible, but I could be wrong of course....


This Discussion