04-01-2010 01:44 PM
Customer set up SNARE to push the
event logs to mars
I defined the device and checked the receive box. I assume I don't have to put username password as I am receiving. Anyway, to prove it was working I thought I could query on raw events like you can from say a cisco switch. Am I on the right track? Right now I see nothing.
thx again
04-02-2010 12:13 AM
Hi,
Try ask question once more and slowly.
Regards,
Nickolas
04-02-2010 07:56 AM
I can't say I understand what you mean at all but here goes.
I defined a windows 2003 server to MARS. I set the logging option to receive as the server is pushing the event logs to MARS using snare. I did not set a username and password as I am not pulling the event logs only "receiving" them. I would like to know that MARS is really seeing anything from the server, so I was asking what query I could perform to see the raw events. As an example, I can do a query on a defined ASA and see the streaming syslog from the ASA. Is there a query I can do to make sure MARs is getting the events from the Windows 2003. Clear?
04-05-2010 11:34 PM
Yes, of course.
Go to tab Query / Reports
Select your device (win 2003) and type of query -->>> Raw messages or All events matching and thats all
Under security and monitor device (Tab Admin --->>> System setup) you must select only recieve logs under your win2003 server.
Thats all.
ALL this stuff are described in User guide on cisco.com.
Forum is for things which are not described in it.
Good luck and lets search (google or something else) help you
Regards Nickolas
04-27-2010 09:11 PM
I would suggest logging in and out of the server before running a report, to guarantee that some events will be generated
In addition to what has been mentioned, be sure to set the "DEVICE" field of the report to be only the server you are looking for.
While creating the report, click on "ANY" in the "DEVICE" column. You'll be shown a box to select which devices on the right side, with selected devices on the left. That should first show "ANY". In the box on the right, in the "All Variables" drop down box, choose "Device Type: Microsoft Windows 2003". From the list that gets loaded, choose the server you previously added as a security device. Press the arrows that look like <<==, which will move it into the left box.
Make sure the report is set to something like "All matching events", and change the "Filter By Time" to something larger like 30 minutes or an hour. This will cover the possibility that the server hasn't sent any logs for a little while.
Given that you just logged in and out of the server, you should see SOMEthing.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide