MARS Windows 2003 reporting

Unanswered Question
Apr 1st, 2010

Customer set up SNARE to push the

event logs to mars

I defined the device and checked the receive box. I assume I don't have to put username password as I am receiving. Anyway,  to prove it was working I thought I could query on raw events like you can from say a cisco switch. Am I on the right track?   Right now I see nothing.

thx again

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 1 (2 ratings)
Loading.
whanson Fri, 04/02/2010 - 07:56

I can't say I understand what you mean at all but here goes.

I defined a windows 2003 server to MARS. I set the logging option to receive as the server is pushing the event logs to MARS using snare. I  did not set a username and password as I am not pulling the event logs only "receiving" them.  I would like to know that MARS is really seeing anything from the server,  so I was asking what query I could perform to see the raw events.  As an example, I can do a query on a defined ASA and see the streaming syslog from the ASA.  Is there a query I can do to make sure MARs is getting the events from the Windows 2003. Clear?

Mykola Srebnyuk Mon, 04/05/2010 - 23:34

Yes, of course.

Go to tab Query / Reports

Select your device (win 2003) and type of query -->>> Raw messages or All events matching and thats all

Under security and monitor device (Tab Admin --->>> System setup) you must select only recieve logs under your win2003 server.

Thats all.

ALL this stuff are described in User guide on cisco.com.

Forum is for things which are not described in it.

Good luck and lets search (google or something else) help you

Regards Nickolas

Anonymous (not verified) Tue, 04/27/2010 - 21:11

I would suggest logging in and out of the server before running a report, to guarantee that some events will be generated

In addition to what has been mentioned, be sure to set the "DEVICE" field of the report to be only the server you are looking for. 

While creating the report, click on "ANY" in the "DEVICE" column.  You'll be shown a box to select which devices on the right side, with selected devices on the left.  That should first show "ANY".  In the box on the right, in the "All Variables" drop down box, choose "Device Type: Microsoft Windows 2003".  From the list that gets loaded, choose the server you previously added as a security device.  Press the arrows that look like <<==, which will move it into the left box.

Make sure the report is set to something like "All matching events", and change the "Filter By Time" to something larger like 30 minutes or an hour.  This will cover the possibility that the server hasn't sent any logs for a little while.

Given that you just logged in and out of the server, you should see SOMEthing.

Actions

This Discussion