Extending existing device types

Unanswered Question
Mar 27th, 2009

Does anybody try to extend existing device type? I tried to extend Cisco Secure ACS 3.x with my own parsers, but with no success. Only thing that works is to create new Device/Application (MANAGEMENT->Device Type Management->Add). I am sure that parsers I defined worked fine. It is also not possible to have two ACS reporting application (Only one Instance of ACS SW can be added to a Host.). I have MARS 6.0.1 ( 3066 ).

Any help would be appreciated. Thank you very mych.

Zdenek Rottenberg

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
amritpatek Thu, 04/02/2009 - 07:33

You can extend existing device types (or parsers) using one of the following methods on the MANAGEMENT > Device Type Management page:

•Derive From-You can select an existing device type and click Derive From to define a new device type/parser based on an existing definition. This method allows you to support incremental version updates or to classify the device type as a custom device type, which is distinguishable from the base device type.

•Add Device Event Type-You can select an existing device type and click Add Device Event Type to extend the current definition with additional device event type definitions. This method is useful when you want to support additional message types that were not supported by the original device type definition.

The benefit of extending an existing device type is that there is only one device type, so it is simple to manage. However, if there are different event formats for the same device event type to be parsed between an existing device type and a new device type, and you have both device types reporting to MARS, then we recommend that you derive from existing device type to create a new device type, and configure on the MARS GUI different device types for each of the reporting devices.

rottenberg Fri, 04/03/2009 - 00:30

Thanks you very much for your answer. I udnderstand everything you wrote in your response, but what I am saying is that it does not works for me.(ofcourse, it is also possible I am doing something wrong).

I tried to create my own device type which was derived from ACS 3.x devece type (created by Cisco). But when I applied this derived device type on my server defined in ADMIN->Security and monitor devices no incoming SYSLOG messages was parsed by this new derived device type.

For example with old Cisco Secure 3.x device type every successful login to router is translated to Passed AAA Authentication Event type. When I derived my own device type from Cisco Secure 3.x device type with no other extensions (I mean without adding my own Event types) and assign this new derived device type (as a reporting application) to my AAA server (defined in ADMIN->Security and monitor devices) then login to Cisco router is translated to Generic AAA Event (Event type). Which is not good behaviour (it should be translated to Passed AAA Authentication again).

So my question is. Have you ever try to create derived device type in your real configuration with successful result? If your answer is yes then the problem is in my configuration.


This Discussion