We're experimenting with the option to have MARS relay certain syslogs to another box. If we do this, does this kill / bypass the local log parsing / analysis on MARS - i.e. does MARS ignore any logs that are relayed to another system?
ok - I re-read the docs for 4.3 and 6.0 and it appears that the MARS box will process the logs as per usual, with some other limitations around the relay process. But if anyone cares to confirm this, thanks in advance....
MARS does not ignore the logs it forwards but there are limitations to the forwarding. Watch your CPU load and be aware that it only forwards syslogs, not RDEP/SDEE IPS logs, Oracle, or RPC gathered Windows logs.
Hello there, this is related enough to the context of your thread that I am thinking it will be alright to post here. If not, I apologize in advance. My question relates to MARS forwarding logs to a collector running syslog-ng. I am wondering if there is a way to retain the original source IP info in the syslog messages that MARS forwards to the collector? I have tested it and all logs forwarded from MARS to syslog-ng have the source address of the MARS appliance instead of the originating source of the syslog data. Is there any way around this short of having dual syslog servers configured on every Cisco syslog reporting device?
I'm sure others (rajett?) will clarify - but fwiw all I can say is that we're probably not going to use the relay feature for that exact reason. I can't see anything in the MARS configs or docs that makes this source IP preservation possible, but I could be wrong of course....
Getting Started
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:
