SYSLOG managers for CS-MARS

Unanswered Question
Apr 7th, 2009

Hi all,

I have a question about “syslog” and “cisco mars”

We have the Snare Event Reporter for sending syslog to CS-MARS, I would like to know if there is

another software compatible with the appliance ...

I know there is another similar event handler which is called "event reporter"

And I would like to confirm if this is compatible whith CS-MARS, if not please, could you tell me if there is any other software I can work with?

Thank you in advance and best regards.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
patwill66_2 Tue, 04/07/2009 - 10:13

You can use any syslog exporter out there, but the problem is when the log is received by MARS, if MARS can parse it or not. MARS is looking for specific fields for data and if they are not there, it will just log the message as Unknown Event Type.

I had this issue when I got MARS up and running in my company. I had Datagram Syslog Agent installed on a lot of servers, which is way better than SNARE, but MARS wouldnt recognize the message. Look below for an example of a log message, one sent with Syslog Agent and the other with SNARE. After I saw the difference between the two messages, it was obvious why Syslog Agent was not working for me.

Since then, I have had to start rolling out SNARE to all my servers. Its possible to create a custom parser for MARS to accept a different format but it seemed mcuh easier to just switch over to SNARE.

Syslog Agent

12-17-2008 08:31:04 Local7.Error 127.0.0.1 Dec 17 08:31:02 x.x.x.x mysql[error] 100 C:\Program Files\Cisco Systems\Cisco IPS Manager Express\MYSQL\bin\mysqld-nt: Sort abortedFor more information, see Help and Support Center athttp://www.mysql.com.

SNARE

12-17-2008 08:29:57 Local0.Notice 127.0.0.1 Dec 17 08:29:57 x.x.x.x MSWinEventLog<009>1<009>Application<009>22<009>Wed Dec 17 08:29:52 2008<009>100<009>MySQL<009>Unknown User<009>N/A<009>Error<009>x.x.x.x<009>None<009><009>C:\Program Files\Cisco Systems\Cisco IPS Manager Express\MYSQL\bin\mysqld-nt: Sort aborted For more information, see Help and Support Center at http://www.mysql.com. <009>17

Actions

This Discussion