Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
451
Views
0
Helpful
2
Replies

Logging questions

bnotonegoro
Level 1
Level 1

‎02-09-2009 02:04 AM

Hi all,

I'm new to CS-MARS and I'm using CS-MARS 100 version 4.3.6 (2841).

After I add a reporting device (a Cisco's switch), I tried to query to check whether the reporting device sending its logs to MARS, but all I get is Generic IOS Syslog message. Is it mean that I get the logs or what? Cause I don't know what should I get on CS-MARS. Btw, I'm using the Event Types ranked by Sessions, 0h:10m for querying.

There is also a problem with a Cisco's router that I have added to CS-MARS. After add using the device type of Cisco IOS 12.2 (the same version as the IOS used on the router), I tried to query it and get the same message as above, which I think it works, then saving the configuration changes on the router and leave it for like an hour. After that I tried to query it again using the same condition on MARS, but I don't any message at all. I checked the configuration there's still logging command reffering to the MARS's IP on the router's configuration. What is happening?

TIA

Labels:
0 Helpful
2 Replies 2

rajett
Cisco Employee
Cisco Employee

‎02-09-2009 10:43 AM

Hello,

How did you define the switch on MARS and what version of IOS is it running? It should be defined as a "Cisco IOS Switch" for proper parsing. Even then there are messages that are not parsed but the ones related to ports up/down and security events are.

What logging level are you doing on the router? If you are running something higher than informational then you won't get very many log messages.

Have you run a report for unknown events to see if there's a possible misconfiguration?

0 Helpful

bnotonegoro
Level 1
Level 1
In response to rajett

‎02-10-2009 01:04 AM

Hi Rajett,

These are the commands I entered to the switch:

logging ip-of-cs-mars

logging source-interface Loopback 1

logging trap 6

Is this the correct one?

It is using IOS version 12.2(18)SXF11, and the device type at MARS is IOS 12.2.

And for the router, what it will be appears as result after querying? is it supposed to be a Generic IOS Syslog message too or not? The same thing also happen to the router, using the same commands as above, but the query only appears for the first time only. It is using the IOS version 12.2(8)T5.

0 Helpful
Customers Also Viewed These Support Documents