Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
386
Views
0
Helpful
3
Replies

Events and other newbie questions

laamidd2003
Level 1
Level 1

‎08-23-2006 09:33 AM - edited ‎03-10-2019 03:11 AM

Hi all,

We've just put our MARS box on the network, and added a single solaris server as a device. After doing so, we have "events" on the dashboard page.

What are these events? Where can I go to view them? Can they be acknowledged and deleted, or anything of that nature? I'm reading the user guide, p. 17-8, but it's pretty poor in terms of details about this and most other things for that matter.

How can I verify that our sun box is sending syslog to MARS? Are these the events?

When we added the solaris box, it and the subnet it's on showed up in the hotspot graph and full topo view...was this because of network discovery?

The full topo graph has the MARS, and the two subnets for each interface, as well as this one sun box. The sun box and the subnet it's on are on top of the MARS, how do you pull them apart so it looks cleaner?

Thanks,

Bob

Labels:
0 Helpful
3 Replies 3

jwalker
Level 3
Level 3

‎08-23-2006 12:45 PM

I'd be glad to help, but you have asked a question that is not easily answered via the forums. If you would like some help, you may call me at 5124394028. Thanks.

0 Helpful

mhellman
Level 7
Level 7

‎08-24-2006 07:58 AM

My understanding of the general concepts is:

an event is a "message" from a reporting device. In your case, it's a syslog message from a solaris box.

a session is usually just a representation of an event. There's more to it than that, for example when NAT occurs the session may show the pre and post NAT information. Conceptually though, it's easier to just think of a session as a representation of an event and I use the terms interchangeably.

as events come in(or are retrieved), they are placed in event type buckets. this is generally called event normalization. This allows CSMARS to put messages that mean the same thing but are from different types of devices into the same event type. for example, a firewall deny message from either a checkpoint firewall or a cisco pix are put into the "Deny packet due to security policy" event type.

event types are further classified as being members of one or more event type groups. for example, the "Deny packet due to security policy" event type is part of the "FirewallPolicyViolation/ALL" event type group (as well as many others). the concept of an event type group is pretty critical. It is another layer of abstraction that allows the rules to remain somewhat static.

So, an "event type" is a collection of "events" and an "event type group" is a collection of "event types".

the default rules that ship with csmars are based entirely on event type groups (although you can add specific event types to rules).

And finally, incidents are the result of a rule firing.

If you want to verify that a reporting device is generating events in CSMARS, run an "all matching events" query for the specific device.

I don't use the topology graphs in csmars, so I have no idea how/if you can change the display.

0 Helpful

laamidd2003
Level 1
Level 1
In response to mhellman

‎08-25-2006 04:24 AM

Thanks, that helps. The documentation on this this is poor. Your post is more informative than the manual.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card