ASK THE EXPERT - CS MARS APPLIANCES

Unanswered Question
Sep 25th, 2009
User Badges:
  • Gold, 750 points or more

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity learn more about design and implementation of CS-MARS in enterprise networks with Cisco expert Jazib Frahim. Jazib has been with Cisco Systems for more than six years. He started out as a Technical Assistance Center (TAC) engineer in the LAN switching team. He then moved to the TAC security team, where he was a technical and team leader for the security products. Frahim is currently working as a senior network security engineer in the Worldwide Security Services Practice of Cisco's Advanced Services for Network Security. He is responsible for guiding customers in the design and implementation of their networks with a focus in network security. Frahim holds two CCIEs, one in routing and switching and the other in security. He has written numerous Cisco online technical documents and has presented at Networkers on multiple occasions. He recently authored a book "Cisco ASA, all-in-one firewall, IPS and VPN appliance."


Remember to use the rating system to let Jazib know if you have received an adequate response.


Jazib might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through October 9, 2009. Visit this forum often to view responses to your questions and the questions of other community members.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
pmccubbin Fri, 09/25/2009 - 12:38
User Badges:
  • Silver, 250 points or more

Hi Jazib,


This was fortuitous that this ask the expert appeared just when I had posted a question on the Cisco Forum which required an expert. Please forgive the redundancy.


Can CiscoWorks redirect syslogs to MARS and will MARS be able to correlate the information? Would this require a Custom Parser and can MARS do this natively?


If MARS cannot do this, is it on the Roadmap?


Thank you in advance!


Paul

tech_trac Sat, 09/26/2009 - 10:42
User Badges:

Hello Jazib,


Is it possible to send Syslog/SNMP traps from Cisco MDS Switch SAN-OS to MARS Appliance.


If not, then would you know of any Cisco or non-Cisco alternative.


Thanks.

bhawkins Sun, 09/27/2009 - 19:42
User Badges:
  • Cisco Employee,

Hello Paul, instead of forwarding Syslog messages I would suggest looking into Syslog-NG. Syslog-NG allows you to have multiple clients view the same Syslog messages. You would make CiscoWorks LMS and CS-MARS both clients on Syslog-NG. Additionally I would suggest storing your Syslog messages in a database to allow for rapid searches and reporting.

jfrahim Wed, 09/30/2009 - 03:35
User Badges:
  • Cisco Employee,

Thanks for the quick reply

-Jazib

jfrahim Wed, 09/30/2009 - 03:32
User Badges:
  • Cisco Employee,

Hi Paul,

MARS supports syslog relay so as long as Ciscoworks server is relaying syslog messages to MARS, it should work.

Hope that helps

-Jazib

daniel.litwin Mon, 09/28/2009 - 10:29
User Badges:

Can you describe any future ties-ins for MARS and the ASA BotNet filter? Will MARS be able to act upon BotNet traffic generated by the ASAs?

jfrahim Wed, 09/30/2009 - 03:38
User Badges:
  • Cisco Employee,

Hi there,

Unfortunately, I cannot discuss MARS future roadmap here. I would suggest discussing it with your account team as they can provide you with that information

my apologies

-Jazib

daniel.litwin Mon, 09/28/2009 - 10:33
User Badges:

After reading through the Cisco documentation, I still find it very difficult to setup a custom parser. I see several user contributed packages on NetPro, but they are few and far between. I would like an easier way to create them for my organization. Are there any companies that will write parsers, either free or paid?

jfrahim Wed, 09/30/2009 - 03:41
User Badges:
  • Cisco Employee,

Hi Daniel,

You can discuss it with your Cisco account team. They can engage the Cisco Advanced services team for a paid engagement to assist you

Hope that helps

-Jazib

tech_trac Wed, 09/30/2009 - 05:02
User Badges:

Hi Jazib,


I would just like to dump all the information sent by the reporting device (MDS Switch) as free text i.e. no parsing required. Would I still have to use the MARS Custom Parser for this. If so, how can I use the parser to achieve this.


I also do not want MARS to apply its features to this log obviously due to the lack of parsed information.


Thanks.

jfrahim Thu, 10/01/2009 - 05:44
User Badges:
  • Cisco Employee,

Hi there,

It seems like you just want to use the MARS box as a log server. If you do that, all messages will be marked as unknown event types and you wont be able to run any meaningful reports

-Jazib

HEATH FREEL Wed, 09/30/2009 - 06:39
User Badges:

Hi Jazib,


This morning my MARS appliance seems to have stopped everything. I cannot access the GUI and when we SSH we can log in but most commands return "No such file or directory". I can look at disk usage (Looks OK) but I cannot even open the help file. "Could not create help file."


I can issue the sysstatus command and everything looks good. 62 total tasks, 1 Running 61 Sleeping, 0 stopped, 0 zombie.


A reboot did nothing.

Is there a quick and dirty recovery command or could it be something else?


I have been backing up the config and logs nightly.


Thanks,


Heath





jfrahim Wed, 09/30/2009 - 18:04
User Badges:
  • Cisco Employee,

Hi Heath,

What version of MARS software are you running? There were a few issues in the past but not sure if you are running into any of them.

Is there any other error message you see on your appliance?

-Jazib

HEATH FREEL Thu, 10/01/2009 - 03:06
User Badges:

Our MARS is running 6.0.3 - we were able to recover with a physical reboot - but then a similar situation came up about an hour later. We went through the logs but did not see any error messages. It would appear that we only had access to "core" OS commands.


All is good right now, but I'm a little concerned that the next time it may not recover.

rmoneal Wed, 09/30/2009 - 11:40
User Badges:

I have a MARS-100e and have upgraded to 6.0.3. I've added devices and have monitor=yes. I'm getting some Netflow data from these devices but looking a Network Status at Top Sources or Destinations it doesn't look like I'm seeing all clients or servers. What are some configurations I need to do or look at?

jfrahim Wed, 09/30/2009 - 17:56
User Badges:
  • Cisco Employee,

Hi there,

If you are receiving NetFlow data from the layer 3 devices then the MARS just reports on what it receives. Are you sure that the clients/servers you are not seeing are being reported by your layer 3 devices?

-Jazib

rmoneal Thu, 10/01/2009 - 04:59
User Badges:

I have my 2 cores and several distribution routers reporting, but will check their conifgs again. Is there a way on MARS to see who is sending the Netflow info? Does MARS take all the Netflow info from all reporting devices and combine this into 1 report?

Thanks!

jfrahim Thu, 10/01/2009 - 05:51
User Badges:
  • Cisco Employee,

Hi there,

There are many ways to find out if your MARS is getting info from specific devices:

1) Issue the "sh ip flow export" command on the layer 3 devices if they are sending flows to MARS

2) If you are saving Flow infomration in MARS database, you can run specific reports on the reporting device and see if NetFlow information is there

3) Not preferred, but you can use the tcpdump command from the CLI and see if flow exports are being received from specific devices

-Jazib

prashantb Wed, 09/30/2009 - 20:07
User Badges:

Hi,


I have VPN conc.3030 H/W need config assist.Just want to know If I selected link rate lower than the existing Link capacity,will it affect the remote users performance?

Currently link rate is defined 1554kbps.


Thanks

Prashant


Thanks

Prashant

tech_trac Thu, 10/01/2009 - 00:23
User Badges:

Hi Jazib,


Awaiting your reply to my post above.


Thanks.

jfrahim Thu, 10/01/2009 - 05:53
User Badges:
  • Cisco Employee,

Hi there,

just responded you earlier.

Hope that helps

-Jazib

jfrahim Thu, 10/01/2009 - 05:41
User Badges:
  • Cisco Employee,

Hi Prashant,

This forum is for CS-MARS.

Thanks

-Jazib

tech_trac Thu, 10/01/2009 - 06:24
User Badges:

Hi Jazib,


I would like to use MARS just as a plain logger for Cisco MDS switch only since it is not supported device.


I had tried adding it under "Generic Unknown Router" but it fails to establish connectivity.


Can I use MARS as a free text logger for Cisco MDS. If so, please advise how ?


Thanks.

jfrahim Thu, 10/01/2009 - 08:06
User Badges:
  • Cisco Employee,

HI there,

You should be able to do that by following the steps below:


a) Under “Security and monitor devices”, add a device as “Add SW security apps on new host”

b) Configure the device name and the Access/Reporting IP address

c) Under “Logging info” select “Receive”

d) Under “Enter interface information” enter the ip addresses for Eth0 the interface sending logs)

e) Click Apply and done


burleyman Fri, 10/02/2009 - 03:49
User Badges:
  • Blue, 1500 points or more

We just got our MARS box back from a vendor and they put a login and password on it and they do not know what it is...they gave me a list of ones they thought it was but none worked. Is there a password recovery procedure for these?


Thanks,

Mike

kashi_login Sat, 10/03/2009 - 08:16
User Badges:


I want all windows eventlogs to be sent to MARS. Which does Cisco recommend push or pull ? And what would be the prime criteria to pick either one of them.

jfrahim Sun, 10/04/2009 - 17:54
User Badges:
  • Cisco Employee,

Hi Kashi,

I would recommend the push model. This is because the MARS is not spending any cycles in contacting each windows box and pulling events.

This is from MARS documentation:

==============

The pull method not only requires system resources for correlating, but also for contacting and pulling the event data from each host. It also operates in a single process, completing the pull from one device before moving to the next. As a result, the pull method may take much longer to cycle through all of the reporting devices as the number of devices grows.


The push method is more efficient in terms of resource utilization on the MARS Appliance and in terms of how quickly the MARS Appliance can be made aware of event data, but it requires that you install and configure the Snare Agent for Windows on the Microsoft Windows host. The Snare Agent pushes event data from the servers to MARS in near real time, when an audit event occurs, the agent sends a syslog message to MARS that details the event. It is also more efficient and timely in that each Snare Agent is able to act independently rather than being bound by a single process as with the pull method.

kashi_login Sun, 10/04/2009 - 18:08
User Badges:

Thanks for the reply. I had same view from Cisco docs but wanted to confirm from your experience.


I ve configured few windows servers send eventlogs via snare to MARS. But how do i get MARS to pick and send alerts for only Warning and Critical events.


Does it require that new rule has to be defined or an existing one can be modified ?


How does MARS identify which one is Warning or Critical from scores of events that it would recieve?



jfrahim Sun, 10/04/2009 - 18:11
User Badges:
  • Cisco Employee,

Hi Kashi,

If you are interested in specific events (critical or warning) and do not want to reply on the built-in MARS rules, then you can define your own rules with those specific events. You can specify how you want to be alerted when those rules are trigerred.

-Jazib

kashi_login Mon, 10/05/2009 - 09:20
User Badges:

Hi Jfrahim,


Two things here:


a. Does MARS has inbuilt rules that can pick up (critical or warning) events from incoming windows eventlogs and alert ? If yes, what are they ? Plz atleast mention one rule.


b. if point a is true how does MARS know if the event is critical or warning or is that we ve manully define in the rule.

If yes, can u plz give an example.


c.in any case, can u give an example how to write a rule for MARS to pick and alert for (critical or warning eventlogs ?


Kashi

jfrahim Mon, 10/05/2009 - 13:33
User Badges:
  • Cisco Employee,

Hello Kashi,

For a), you can go to Management > Event Management and select Microsoft windows specific messages for the device type. It will show you MS message types, and their mapping to MARS events and groups


For b), each MS event is mapped to an event message in MARS. So a critical MS message is mapped to a critical MARS event message. You can see the example by browsing to the location specifiec in a).


For c), a better approach to write a rule is to define a query based on what you want to see. Towards the end of the query, MARS gives you an option to save the query as a rule.


Hope this helps

-Jazib

kashi_login Mon, 10/05/2009 - 17:18
User Badges:

Hi Jazib,


I intend to direct all syslog msgs from our Kiwi syslog server to MARS.


a),In this case too, is there mapping to MARS events and groups for critical and warning syslog msgs.


b),Once i direct the sylogs its obvious that local database of MARS would start getting filled up (MARS 100 model). Is there a way i can track on daily basis how much of the database is being filled up, how much is free ?


c)Once i direct syslogs to MARS,how can i know hw many events/sec MARS is accepting or for that matter even otherwise ?


Kashi

jfrahim Tue, 10/06/2009 - 06:34
User Badges:
  • Cisco Employee,

Hi Kashi,

Please my responses below:


a),In this case too, is there mapping to MARS events and groups for critical and warning syslog msgs.

Jazib>> Yes and you can see that once you go to event management


b),Once i direct the sylogs its obvious that local database of MARS would start getting filled up (MARS 100 model). Is there a way i can track on daily basis how much of the database is being filled up, how much is free ?

Jazib>> you can use the diskusage command

http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/command/reference/cref1.html#wp1136757



c)Once i direct syslogs to MARS,how can i know hw many events/sec MARS is accepting or for that matter even otherwise ?

On the main dashboard, MARS indicates how many events it has received in a day. You can average it out in events/sec like that


Hope that helps

-Jazib


kashi_login Tue, 10/06/2009 - 06:42
User Badges:

Hi Jazib,


This was my last post..did u rpely to this...i dont see your reply.


Hi Jazib,


I intend to direct all syslog msgs from our Kiwi syslog server to MARS.


a),In this case too, is there mapping to MARS events and groups for critical and warning syslog msgs.


b),Once i direct the sylogs its obvious that local database of MARS would start getting filled up (MARS 100 model). Is there a way i can track on daily basis how much of the database is being filled up, how much is free ?


c)Once i direct syslogs to MARS,how can i know hw many events/sec MARS is accepting or for that matter even otherwise ?



kashi_login Tue, 10/06/2009 - 06:56
User Badges:

Thanks Jazib for the prompt forwarding of your reply, which i still dont get how i missed.


Jazib,i ve ocnfigured netflow on edge rtr and all netflow packets r sent to MARS. We usually ve traffic spikes for port 445 which for both inound and outbound traffic, which is normally a suspicious traffic.


But i have seen that MARS has not been able to report this spike in traffic on port 445. Infact, it does not even show port 445 traffic in top traffic destinations.


What could be casuing this..any configuration issue?


Kashi

kashi_login Wed, 10/07/2009 - 07:44
User Badges:

Hi Jazib,


How do i make DST changes on MARS ? I tried to do via CLI but its not getting saved.


Could you plz advice ?

Kashi

jfrahim Wed, 10/07/2009 - 10:05
User Badges:
  • Cisco Employee,

Hi Kashi,

If you are using the "timezone" command then it should save the new timezone. After you go through the process, the MARS box restarts a few processes to update this

-Jazib

kashi_login Wed, 10/07/2009 - 16:47
User Badges:


Yes, i tried that Jazib from CLI..to set the 'timezone' for Australia, Victoria state. But though i tried giving even manually UTC+11, its taking some other time.


Also is thr a cmd on CLI to set NTP server settings and what are they ?


Kashi

kashi_login Fri, 10/09/2009 - 07:07
User Badges:

Jazib,


As i said, though i changed made the DST change via MARS CLI, it is getting changed afgter some time.


Can you plz guide me how to make the DST change for permanent ?


Kashi

jfrahim Fri, 10/09/2009 - 10:37
User Badges:
  • Cisco Employee,

Kashi,

It is a permanent change. If it is reverting to a different timezone, I would suggest you to open a TAC case where this can be analyzed in detail

Hope that helps

-Jazib

jfrahim Wed, 10/07/2009 - 09:02
User Badges:
  • Cisco Employee,

Kashi,

MARS creates a baseline first when it starts receiving the NetFlow data. After the baseline is created (typically takes 7 days), then anything above the baseline thresholds are sent as alerts (incidents). So it may not send you an alert if it thinks that it is normal in your network

Hope that helps

-Jazib

kashi_login Wed, 10/07/2009 - 09:16
User Badges:

Jazib,


Is it possible to know the baseline stats that MARS creates in 7 days ?


jfrahim Wed, 10/07/2009 - 10:08
User Badges:
  • Cisco Employee,

Kshi,

not sure if I am following you. The baseline is created based on the traffic profile in your network. If your question is regarding how to view this profile, then the answer is "it is not possible"

=Jazib

Eduardo Aliaga Thu, 10/08/2009 - 22:50
User Badges:
  • Silver, 250 points or more

So when using Netflow, MARS doesn't use the rules to trigger the incidents?


Does MARS adjust this baseline periodically? or after being created this baseline remains always the same?


I couldn't find any queries or reports to show what netflow information am i receiving from my devices. Could you tell me what report or queries are available to do such thing ?

Actions

This Discussion