ACS 4.1 event type in MARS 5.2

Unanswered Question
May 28th, 2010

Hello,

we are trying to integrate ACS 4.1 and MARS 5.2.
In MARS 5.2 we cannot insert ACS 4.x so we decide to insert our ACS 4.1 like ACS 3.x.
But we are not sure if is working, we simulate a brute force attack against on of our router, we aspected MARS did something, but we only observed an increasing amount of events.

We checked in which way MARS was receiving messages from ACS 4.1. In realtime raw events we saw MARS received ACS 4.1 event like GENERIC EVENT. Is that correct ? Or we should see event type like AAA EVENT, or something like that?

If MARS receive in correct way events form ACS 4.1, this means there isn't any rules to handle this kind of event ?

Thank you really much in advance.
Best regards Antonello Moneta.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Scott Fringer Fri, 05/28/2010 - 05:11

Antonello;

  CS-MARS will indicate an ACS event is a 'generic event' if there is not a parsing rule for the received event.  If CS-MARS did not correctly parse the event you would see an event similar to 'unknown device event type'.

  As a heads up; CS-MARS release 5.2 is quite old.  Recent versions (6.0.7) support ACS 4.x natively without need for the pnlog agent, as well as contain substantial stability and performance improvements.  You may want to consider upgrading to this release.

Scott

antonello.moneta Fri, 05/28/2010 - 06:48

Scott, thank you really much.

You mean I have to configure a custom parser rule to tell MARS how to use these logs, right?

There is out there some best practice or documentation I can use in this task ?

We are wondering to upgrade our system, but could be difficult.

Thank you again,

bye Antonello.

Scott Fringer Fri, 05/28/2010 - 07:10

Antonello;

  You should not need to create any custom parsers for ACS events.  The development team for CS-MARS has included parsers for the messages which they feel are relevant to the operational aspects of the CS-MARS.

  There is not a 'best practice' document for creating custom parsers, or making use of the information provided by the CS-MARS.  The best place to start for information regarding CS-MARS is:

http://www.cisco.com/go/mars

  Upgrading the CS-MARS from a 5.2 release will be a time consuming process as you will need to install each upgrade in sequence.  However, you should consider performing the upgrades as you will receive not only bug fixes, but new parsers and product version support.

Scott

antonello.moneta Fri, 05/28/2010 - 07:42

Thank you Scott,

I need to understand what could be a normal behave of MARS when it receives a auth-failure log from ACS. These kind of events could be find in in report "Acrivity: AAA Based Access Failure - All Event", right?

Can you please explain me better the difference between Generic Event and unknow device event type?

I hope I am not annoying you, thank you really much, I really appreciate your help.
Antonello.

Scott Fringer Fri, 05/28/2010 - 07:56

Antonello;

  A "Generic Event" will be an event CS-MARS receives, parses, and determines is general in nature and cannot be better utilized for security reporting.

  An "Unknown Device Event Type" will be an event CS-MARS receives but cannot successfully parse.  These messages may be corrected in an upgrade to CS-MARS where development has added additional parsing rules to a specific device type.

  To see the available event types parsed by CS-MARS in regard to ACS, you can navigate to:

MANAGEMENT>Event Management

  In the drop-down above "Device Event ID" choose the appropriate entry for Cisco Secure ACS.

  You will be presented with the CS-MARS event ID and description coupled with the specific device events that parse to the CS-MARS event.  Again, there have been significant enhancements to ACS parsing in the more recent releases of CS-MARS.

Scott

Actions

This Discussion