Windows Servers donot send Llogs to MARS

Unanswered Question
Aug 25th, 2010
User Badges:

I have my Windows server connected with the following configuration but it does not send any logs.

I have atttached the snapshots also

Override detected DNS name with :  ----> The ip address of the server

Destination snare server address : ----> the ip address of the syslog

destination port 514

enable syslog header ---> Yes

Syslog facility --> Syslog

Syslog Priority  ---> Information

One more question when we are adding the server in MARS, On the bottom of the page under Reporting and access Ip address, there is an option

Enter interface information IP address, I have given the ip address of the server at eth0 which is the same ip address  as mentioned in reporting and

access ip address of the server

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Scott Fringer Fri, 08/27/2010 - 05:34
User Badges:
  • Cisco Employee,

Within the CS-MARS configuration did you set the device's 'Logging Info' to "Pull" or "Receive"?


Scott Fringer Tue, 08/31/2010 - 05:24
User Badges:
  • Cisco Employee,

There could be many factors on the local Windows system which impact the performance of the Snare agent.  You would need to monitor the Windows systems and see if they are sending the events when they happen, if they are not the issue is with the operation of Snare. This can be performed by running Wireshark on the Windows host and watching communication between the host and the CS-MARS.

If the messages are being sent when they happen, you need to monitor the CS-MARS and verify they are arriving as expected.  This can be performed by running 'tcpdump' on the CLI of the CS-MARS and monitoring communication between the host in question and CS-MARS.

Depending on where the delay is occurring you would then need to troubleshoot Snare for client-side delays.   If the events are arriving at teh CS-MARS when expected, open a service request witch Cisco TAC to troubleshoot CS-MARS more closely.



This Discussion