Mars add a custom event to known device

Unanswered Question
Jun 1st, 2010
User Badges:

Hello,


I see that MARS allow you add a custom device, parse its logs and create a new event. But what about if I need to add a new event to known device ?


This a possible scenario:


I have a router 2821 with 12.4 IOS version, I register it like Cisco IOS 12.2. I want to see who and from which machine an possible attacker has just failed the access.
From my router I get this logs:
<188>1908: May 31 12:34:36.492: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ciccio ] [Source: 10.xx.xx.xx] [localport: xx] [Reason: Login Authentication Failed] at xxxx


MARS classified this log like "Generic IOS Syslog". So this is means this log was parsed by MARS, but MARS parsed what I need ? My answer is no! Because I cannot find a way to make a report which report me the Source address (10.xx.xx.xx) and user(ciccio). Can you confirm that ?


Now, how I can tell to MARS: "Look when you receive this kind of events, parser Sender ip, Source ip and User name? In the same way I do with custom devices.


I hope I have been clear, sorry for my English.
Thank you in advence, best wishes Antonello.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Scott Fringer Tue, 06/01/2010 - 05:01
User Badges:
  • Cisco Employee,

Anotonello;


  CS-MARS release 6.0 allows for extending an existing device parser with your own event types.  You can find out more here:


http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/user/guide/combo/cfgCustm.html


  You could create a report using a keyword query that searches for "SEC_LOGIN-4-LOGIN_FAILED".  That report could then provide all matching raw messages which should contain the details you are interested in.


Scott

Actions

This Discussion