Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
578
Views
0
Helpful
2
Replies

SYSLOG managers for CS-MARS

cprados2008
Level 1
Level 1

‎04-07-2009 09:30 AM

Hi all,

I have a question about “syslog” and “cisco mars”

We have the Snare Event Reporter for sending syslog to CS-MARS, I would like to know if there is

another software compatible with the appliance ...

I know there is another similar event handler which is called "event reporter"

And I would like to confirm if this is compatible whith CS-MARS, if not please, could you tell me if there is any other software I can work with?

Thank you in advance and best regards.

Labels:
0 Helpful
2 Replies 2

patwill66_2
Level 1
Level 1

‎04-07-2009 10:13 AM

You can use any syslog exporter out there, but the problem is when the log is received by MARS, if MARS can parse it or not. MARS is looking for specific fields for data and if they are not there, it will just log the message as Unknown Event Type.

I had this issue when I got MARS up and running in my company. I had Datagram Syslog Agent installed on a lot of servers, which is way better than SNARE, but MARS wouldnt recognize the message. Look below for an example of a log message, one sent with Syslog Agent and the other with SNARE. After I saw the difference between the two messages, it was obvious why Syslog Agent was not working for me.

Since then, I have had to start rolling out SNARE to all my servers. Its possible to create a custom parser for MARS to accept a different format but it seemed mcuh easier to just switch over to SNARE.

Syslog Agent

12-17-2008 08:31:04 Local7.Error 127.0.0.1 Dec 17 08:31:02 x.x.x.x mysql[error] 100 C:\Program Files\Cisco Systems\Cisco IPS Manager Express\MYSQL\bin\mysqld-nt: Sort abortedFor more information, see Help and Support Center athttp://www.mysql.com.

SNARE

12-17-2008 08:29:57 Local0.Notice 127.0.0.1 Dec 17 08:29:57 x.x.x.x MSWinEventLog<009>1<009>Application<009>22<009>Wed Dec 17 08:29:52 2008<009>100<009>MySQL<009>Unknown User<009>N/A<009>Error<009>x.x.x.x<009>None<009><009>C:\Program Files\Cisco Systems\Cisco IPS Manager Express\MYSQL\bin\mysqld-nt: Sort aborted For more information, see Help and Support Center at http://www.mysql.com. <009>17

0 Helpful

cprados2008
Level 1
Level 1
In response to patwill66_2

‎04-07-2009 10:45 AM

It is the same problem, ok! I try to do the same!

Thanks!!!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents