We've just put our MARS box on the network, and added a single solaris server as a device. After doing so, we have "events" on the dashboard page.
What are these events? Where can I go to view them? Can they be acknowledged and deleted, or anything of that nature? I'm reading the user guide, p. 17-8, but it's pretty poor in terms of details about this and most other things for that matter.
How can I verify that our sun box is sending syslog to MARS? Are these the events?
When we added the solaris box, it and the subnet it's on showed up in the hotspot graph and full topo view...was this because of network discovery?
The full topo graph has the MARS, and the two subnets for each interface, as well as this one sun box. The sun box and the subnet it's on are on top of the MARS, how do you pull them apart so it looks cleaner?
an event is a "message" from a reporting device. In your case, it's a syslog message from a solaris box.
a session is usually just a representation of an event. There's more to it than that, for example when NAT occurs the session may show the pre and post NAT information. Conceptually though, it's easier to just think of a session as a representation of an event and I use the terms interchangeably.
as events come in(or are retrieved), they are placed in event type buckets. this is generally called event normalization. This allows CSMARS to put messages that mean the same thing but are from different types of devices into the same event type. for example, a firewall deny message from either a checkpoint firewall or a cisco pix are put into the "Deny packet due to security policy" event type.
event types are further classified as being members of one or more event type groups. for example, the "Deny packet due to security policy" event type is part of the "FirewallPolicyViolation/ALL" event type group (as well as many others). the concept of an event type group is pretty critical. It is another layer of abstraction that allows the rules to remain somewhat static.
So, an "event type" is a collection of "events" and an "event type group" is a collection of "event types".
the default rules that ship with csmars are based entirely on event type groups (although you can add specific event types to rules).
And finally, incidents are the result of a rule firing.
If you want to verify that a reporting device is generating events in CSMARS, run an "all matching events" query for the specific device.
I don't use the topology graphs in csmars, so I have no idea how/if you can change the display.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :