Forwarding Cisco Logs to another Server

thundercisco · ‎11-01-2011

Hi,

Is it possible to forward all MARS logs to another server. Issue is that we already have cisco mars and now we have implememted splunk. So instead of change logging device on all equipments i need to forward logs to splunk server.

If possible how?

Cheers

GT

mikecrowe4ICS_2 · ‎11-01-2011

GT --

It's possible to configure MARS to act as a syslog relay, but there are some limitations. The relay feature is covered in Chapter 3 of the "User Guide for CS-MARS Local and Global Controllers".

Specifically, check the section titled "Syslog Relay Support". Some of the information that starts the section:

The Local Controller can now act as a relay; it processes the incoming syslog messages locally before it forwards them to the designated collector. The destination port number is 514 for incoming and relayed syslog messages. MARS adheres to RFC 3164: The BSD syslog Protocol while relaying the syslog messages with the following exceptions:

•MARS can only forward to a single collector IP address.

•Because MARS supports exactly one collector, you cannot specify that events originating from one device address be forwarded to one collector while those originating from a different device address are forwarded to a different collector. All events are forwarded to the same collector.

•Forwarded syslog can be up to 1024 bytes in length. Logs longer than 1024 bytes are truncated.

It also mentions that the configuration has to be done through the CLI, not the web GUI.

Good luck!

-- Mike