I see that MARS allow you add a custom device, parse its logs and create a new event. But what about if I need to add a new event to known device ?
This a possible scenario:
I have a router 2821 with 12.4 IOS version, I register it like Cisco IOS 12.2. I want to see who and from which machine an possible attacker has just failed the access.
From my router I get this logs:
<188>1908: May 31 12:34:36.492: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ciccio ] [Source: 10.xx.xx.xx] [localport: xx] [Reason: Login Authentication Failed] at xxxx
MARS classified this log like "Generic IOS Syslog". So this is means this log was parsed by MARS, but MARS parsed what I need ? My answer is no! Because I cannot find a way to make a report which report me the Source address (10.xx.xx.xx) and user(ciccio). Can you confirm that ?
Now, how I can tell to MARS: "Look when you receive this kind of events, parser Sender ip, Source ip and User name? In the same way I do with custom devices.
I hope I have been clear, sorry for my English.
Thank you in advence, best wishes Antonello.