Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity learn more about design and implementation of CS-MARS in enterprise networks with Cisco expert Jazib Frahim. Jazib has been with Cisco Systems for more than six years. He started out as a Technical Assistance Center (TAC) engineer in the LAN switching team. He then moved to the TAC security team, where he was a technical and team leader for the security products. Frahim is currently working as a senior network security engineer in the Worldwide Security Services Practice of Cisco's Advanced Services for Network Security. He is responsible for guiding customers in the design and implementation of their networks with a focus in network security. Frahim holds two CCIEs, one in routing and switching and the other in security. He has written numerous Cisco online technical documents and has presented at Networkers on multiple occasions. He recently authored a book "Cisco ASA, all-in-one firewall, IPS and VPN appliance."
Remember to use the rating system to let Jazib know if you have received an adequate response.
Jazib might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through October 9, 2009. Visit this forum often to view responses to your questions and the questions of other community members.
This was fortuitous that this ask the expert appeared just when I had posted a question on the Cisco Forum which required an expert. Please forgive the redundancy.
Can CiscoWorks redirect syslogs to MARS and will MARS be able to correlate the information? Would this require a Custom Parser and can MARS do this natively?
If MARS cannot do this, is it on the Roadmap?
Thank you in advance!
Is it possible to send Syslog/SNMP traps from Cisco MDS Switch SAN-OS to MARS Appliance.
If not, then would you know of any Cisco or non-Cisco alternative.
Cisco MDS switch is not a supported device:
You need to create custom parser to add that functionality into MARS
Hello Paul, instead of forwarding Syslog messages I would suggest looking into Syslog-NG. Syslog-NG allows you to have multiple clients view the same Syslog messages. You would make CiscoWorks LMS and CS-MARS both clients on Syslog-NG. Additionally I would suggest storing your Syslog messages in a database to allow for rapid searches and reporting.
MARS supports syslog relay so as long as Ciscoworks server is relaying syslog messages to MARS, it should work.
Hope that helps
Can you describe any future ties-ins for MARS and the ASA BotNet filter? Will MARS be able to act upon BotNet traffic generated by the ASAs?
Unfortunately, I cannot discuss MARS future roadmap here. I would suggest discussing it with your account team as they can provide you with that information
After reading through the Cisco documentation, I still find it very difficult to setup a custom parser. I see several user contributed packages on NetPro, but they are few and far between. I would like an easier way to create them for my organization. Are there any companies that will write parsers, either free or paid?
You can discuss it with your Cisco account team. They can engage the Cisco Advanced services team for a paid engagement to assist you
Hope that helps
I would just like to dump all the information sent by the reporting device (MDS Switch) as free text i.e. no parsing required. Would I still have to use the MARS Custom Parser for this. If so, how can I use the parser to achieve this.
I also do not want MARS to apply its features to this log obviously due to the lack of parsed information.
It seems like you just want to use the MARS box as a log server. If you do that, all messages will be marked as unknown event types and you wont be able to run any meaningful reports
This morning my MARS appliance seems to have stopped everything. I cannot access the GUI and when we SSH we can log in but most commands return "No such file or directory". I can look at disk usage (Looks OK) but I cannot even open the help file. "Could not create help file."
I can issue the sysstatus command and everything looks good. 62 total tasks, 1 Running 61 Sleeping, 0 stopped, 0 zombie.
A reboot did nothing.
Is there a quick and dirty recovery command or could it be something else?
I have been backing up the config and logs nightly.
What version of MARS software are you running? There were a few issues in the past but not sure if you are running into any of them.
Is there any other error message you see on your appliance?
Our MARS is running 6.0.3 - we were able to recover with a physical reboot - but then a similar situation came up about an hour later. We went through the logs but did not see any error messages. It would appear that we only had access to "core" OS commands.
All is good right now, but I'm a little concerned that the next time it may not recover.
I have a MARS-100e and have upgraded to 6.0.3. I've added devices and have monitor=yes. I'm getting some Netflow data from these devices but looking a Network Status at Top Sources or Destinations it doesn't look like I'm seeing all clients or servers. What are some configurations I need to do or look at?
If you are receiving NetFlow data from the layer 3 devices then the MARS just reports on what it receives. Are you sure that the clients/servers you are not seeing are being reported by your layer 3 devices?
I have my 2 cores and several distribution routers reporting, but will check their conifgs again. Is there a way on MARS to see who is sending the Netflow info? Does MARS take all the Netflow info from all reporting devices and combine this into 1 report?
There are many ways to find out if your MARS is getting info from specific devices:
1) Issue the "sh ip flow export" command on the layer 3 devices if they are sending flows to MARS
2) If you are saving Flow infomration in MARS database, you can run specific reports on the reporting device and see if NetFlow information is there
3) Not preferred, but you can use the tcpdump command from the CLI and see if flow exports are being received from specific devices
I have VPN conc.3030 H/W need config assist.Just want to know If I selected link rate lower than the existing Link capacity,will it affect the remote users performance?
Currently link rate is defined 1554kbps.
I would like to use MARS just as a plain logger for Cisco MDS switch only since it is not supported device.
I had tried adding it under "Generic Unknown Router" but it fails to establish connectivity.
Can I use MARS as a free text logger for Cisco MDS. If so, please advise how ?
You should be able to do that by following the steps below:
a) Under âSecurity and monitor devicesâ, add a device as âAdd SW security apps on new hostâ
b) Configure the device name and the Access/Reporting IP address
c) Under âLogging infoâ select âReceiveâ
d) Under âEnter interface informationâ enter the ip addresses for Eth0 the interface sending logs)
e) Click Apply and done
We just got our MARS box back from a vendor and they put a login and password on it and they do not know what it is...they gave me a list of ones they thought it was but none worked. Is there a password recovery procedure for these?
Yes, there is but it requires that you reimage the appliance
Hope this link helps:
I want all windows eventlogs to be sent to MARS. Which does Cisco recommend push or pull ? And what would be the prime criteria to pick either one of them.
I would recommend the push model. This is because the MARS is not spending any cycles in contacting each windows box and pulling events.
This is from MARS documentation:
The pull method not only requires system resources for correlating, but also for contacting and pulling the event data from each host. It also operates in a single process, completing the pull from one device before moving to the next. As a result, the pull method may take much longer to cycle through all of the reporting devices as the number of devices grows.
The push method is more efficient in terms of resource utilization on the MARS Appliance and in terms of how quickly the MARS Appliance can be made aware of event data, but it requires that you install and configure the Snare Agent for Windows on the Microsoft Windows host. The Snare Agent pushes event data from the servers to MARS in near real time, when an audit event occurs, the agent sends a syslog message to MARS that details the event. It is also more efficient and timely in that each Snare Agent is able to act independently rather than being bound by a single process as with the pull method.