02-09-2010 10:47 AM
Is there anyone who has an custom parser for Cisco ACE ?.
Can't understand why it isn't included by default as supported device in Cisco MARS.
04-20-2010 09:44 AM
I can say why.
I requested something for Cisco ACS 5.1, something that would, one would hope, be included in their Security monitoring suite of supported apps.
They submitted a bug about not having and was literally closed due to being able to "add a custom parser" so in short Cisco is telling it's customers to go pound sand and do it yourself we're too lazy to support our products inter-operability.
I've now got to go and create one for it with the piss-poor documentation they have for it and the logs for ACS 5.1
Good luck getting help with your ACE, We were planning on moving to those as well in the coming months, but this will definately have an affect on that decision.
04-22-2010 04:03 AM
Hi.
I'm trying to make an custom parser for ACE logs.
And it works fine except denied icmp traffic, The problem is the event-id is the same in ACE (%ACE-4-106023).
The parser check for protocol type and src ip,src port and so on. Icmp however is logged without src port (pretty obvius) but the parser breaks if it dosn't get an src port.
%ACE-4-106023: Deny icmp src vlanx:x.x.x.x dst undetermined:y.y.y.y (type 11, code 0) by access-group "access-list" [0x20c017d8, 0x0]
%ACE-4-106023: Deny udp src vlanx:x.x.x.x/6155 dst undetermined:y.y.y.y/6155 by access-group "access-list" [0xffffffff, 0x0]
So what i am missing in my parser is an "IF proto=ICMP don't match src&dst ports".
Any ideas how i can make this work.
08-16-2010 11:41 AM
Fredrik,
Did you ever get the your parser to work for the ACE? If so would you mind sharing it? We have a need to send ACE logs to the MARS and would like not to start from scratch.
Thanks
Dave
11-13-2013 12:51 PM
I'd like this too. My MARS is still going strong and I intend to keep it until support runs out. Trying to get ACE logs to it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide