question about mars

Unanswered Question
Feb 16th, 2009

We got a MARS 25r with 2 5510 failover, i think i got logging setup as in the dashboard of the mars i see logs from the firewall persay but not truelogs? we were under the impression that mars would serve as a place we could archive firewall logs for like pci compliance , if it can do this how do i do this???

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)

What do you mean by true logs? If you are looking for ALL the events from your firewall to show on MARS, goto ADMIN -> Retrieve Raw Messages, and select your desired timings..

I believe that MARS is more than a logs archival agent, in simple words, it takes the logs from whatever devices you configure on it, studys them and filters the more frequent/similar events, and display to you only the ones that you should worry about. Instead of going through mutliple devices, and different seraching techinques, sitting on a single interface, and looking at only severe incidents is real fun :)..


Farrukh Haroon Tue, 02/17/2009 - 00:54

Goto Query >> Edit the 'Query Type' >> Select "All Matching Event Raw Messages" Change the time as as appropriate, and click on Apply.

Then Edit the "Device" field to only the selected device. This will show you the 'raw events' (true as referred by you).



rajett Tue, 02/17/2009 - 07:04

MARS processes the logs and outputs things for you to look at. It does not show you the raw logs but they are there.

Do the query Farrukh listed and you will be able to see that the logs really are there "under the hood."

This query is the most commonly run query by users that are comfortable with viewing syslog messages directly. It helps with the comfort level for new users that are trying to figure out MARS.



This Discussion