Syslog on Mars

mdowrich · ‎07-07-2009

Hello there,

I need a solution which sends all logs back to a single central location from all switches routers firewalls and so on.

Now I thought this would be what the MARS box did, but I can't seem to find out how to see the actual syslog messages on it, just events that it has deemed worthy of noting.

Can you confirm whether the Mars can do this. If not I would appreciate any suggestions of other Cisco products which may be suitable.

Thanks in advance

Marc

ldardon · ‎07-13-2009

Cisco Security MARS is placed on a TCP/IP network where it can send and receive syslog messages and Simple Network Management Protocol (SNMP) traps, and can establish secure sessions with deployed network and security devices through standard secure or vendor-specific protocols.

Syslog Forwarding support in Cisco Security MARS will allow Cisco Security MARS to forward syslog messages it receives from syslog sources to another syslog receiver. In earlier Cisco Security MARS releases support for receiving syslog messages from a syslog Relay device was added. Therefore the syslog forwarding feature set in this release enhances support for syslog within Cisco Security MARS, and allows for the insertion of Cisco Security MARS into an already established syslog architecture.

colmfahy · ‎08-26-2009

Just to confirm the MARS does (can) retain all of the original Syslog information - which (i) can be viewed using the option 'view raw event messages', (ii)can be 'relayed' to another Syslog server as already mentioned, and can (iii) even be directly viewed or manipulated when archived off to external disk (following the format set out in the doc files).....

Finally I would note that we use the 'drop' ability to not have the MARS process information we do not want to respond to, but DO want to retain. This allows us to tune what the MARS rules receive to be different from what the MARS appliance receives and stores.

I hope the above makes sense and answers your question.

Colm