Just trying to wrap my brain around what should be sending to a new MARS implementation. We have several interior ASAs (which I have included), several distribution layer switches (which I have included), a WAN Router (P2P which I have included) and a perimiter PIX. Note that our Internet router belongs to our ISP so pointing that at the MARS is not an option. When I point the PIX to the MARS, reporting is significantly increased (even to the point of not sure whether incidents are significant or not). We are currently not using any IDS/IPS so the PIX is pretty much it for perimiter (we do have a shaper on this side of the PIX). Would like to know what items are "best practice" to point at the MARS. Do you include access layer switches? Do you include servers? Thanks in advance.
You could talk to your ISP about sending the logs to MARS or allowing SNMP read access, many of them will. The firewall information is IMHO the most valuable information MARS can get, so keep the PIX reporting in. The next most valuable data is logs from authentication/access control points. This includes domain controllers, member servers, VPN devices, thin client servers, etc.
As far as "reporting is significantly increased", I assume you mean incidents go up? You will need to tune the system to reduce those to a manageable and [hopefully] meaningful amount. If you don't have significant tuning to do after implementing MARS...then you don't have the right data going into it;-)