Mars add a custom event to known device

Unanswered Question
Jun 1st, 2010

Hello,

I see that MARS allow you add a custom device, parse its logs and create a new event. But what about if I need to add a new event to known device ?

This a possible scenario:

I have a router 2821 with 12.4 IOS version, I register it like Cisco IOS 12.2. I want to see who and from which machine an possible attacker has just failed the access.
From my router I get this logs:
<188>1908: May 31 12:34:36.492: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ciccio ] [Source: 10.xx.xx.xx] [localport: xx] [Reason: Login Authentication Failed] at xxxx

MARS classified this log like "Generic IOS Syslog". So this is means this log was parsed by MARS, but MARS parsed what I need ? My answer is no! Because I cannot find a way to make a report which report me the Source address (10.xx.xx.xx) and user(ciccio). Can you confirm that ?

Now, how I can tell to MARS: "Look when you receive this kind of events, parser Sender ip, Source ip and User name? In the same way I do with custom devices.

I hope I have been clear, sorry for my English.
Thank you in advence, best wishes Antonello.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Scott Fringer Tue, 06/01/2010 - 05:01

Anotonello;

  CS-MARS release 6.0 allows for extending an existing device parser with your own event types.  You can find out more here:

http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/user/guide/combo/cfgCustm.html

  You could create a report using a keyword query that searches for "SEC_LOGIN-4-LOGIN_FAILED".  That report could then provide all matching raw messages which should contain the details you are interested in.

Scott

Actions

This Discussion