Integration of IronPort into CS-MARS

Unanswered Question
May 17th, 2010

Can anyone advice how to integrate IronPort into CS-MARS. Thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
lekchandmantri Mon, 05/17/2010 - 07:47

Hi halijenn,

Thanks for your prompt response.

I agree, but we can add IronPort as custom device and write custom log parsers for that. I am confused which logs do we need to capture and write parsers as IronPort does not provide message log in one line I mean it break in pieces and maintain MID for each line.

Secondly, I have setup custom device, I received messages but I got "Buffer overflow" error message in IronPort and stop sending logs to CS-MARS.

Can you please advice so as to what could be the cause for this.

I really appreciate if you could advice some interesting things which we can log into CS-MARS from IronPort. Thanks.

Jennifer Halim Tue, 05/18/2010 - 02:24

What logs are IronPort device sending? syslog messages or snmp traps? Generally MARS pretty much just takes syslog and/or snmp. Other types of logging is normally pretty difficult to parse in MARS, and requires complex custom parser to be written.

lekchandmantri Tue, 05/18/2010 - 03:21

I have setup to receive syslog messages from ironport. We configured IronPort to push syslog maillog messages to CS-MARS. It received for a while and it stopped giving error in Ironport something like CSMARS buffer overflow. Below are some messages received from IronPort in CS-MARS.

Parsing error or event type unknown: <22>May 14 12:47:35 MailLog_CSMARS: Info: Message done DCID 61561334 MID 102046326 to RID [1, 2, 3, 4]

Parsing error or event type unknown: <22>May 14 12:47:36 MailLog_CSMARS: Info: MID 102046330 interim AV verdict using Sophos CLEAN

Can you check if anyone has implemented? Thanks.

Actions

This Discussion

Related Content