Cisco MARS and MS SQL Server

dmitrysaunin · ‎09-04-2009

In my env. i have multiple MS SQL servers, how can i get a syslog messages to MARS from SQL audit logs?

htarra · ‎09-10-2009

You can rapidly deploy MARS by forwarding messages from existing syslog-ng or Kiwi syslog servers. This feature eliminates the network and device changes required to insert MARS into an operational network. You no longer have to configure each network device to publish its syslog messages directly to MARS, which saves time, avoids device change approval processes, preserves packet processing performance of the network devices, and ensures that daily network operations proceed uninterrupted.

If your network devices already publish syslog messages to syslog-ng or Kiwi syslog servers, simply configure those servers to forward messages to the MARS Appliance and identify the syslog servers in MARS.

http://www.cisco.com/en/US/docs/security/security_management/cs-mars/4.2/release/notes/rn421.html#wp1126959

eegilbert · ‎09-15-2009

I don't think this answers his question since it's about MS SQL server.

There is a thread from Jul 22 2008 that talks about MS SQL. The concensus is that it doesn't work as is. The thread was written over a year ago and looks like it pertains to MARS 5.x

At any rate, you will need to use the SNARE agent to collect this type of information from a windows system.

Erric

dmitrysaunin · ‎09-18-2009

SNARE agent for MS SQL is not a freeware product, do u now another agent for mssql? I just need to collect logs and forward them to cs-mars in syslog packets.