Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Events and other newbie questions

Hi all,

We've just put our MARS box on the network, and added a single solaris server as a device. After doing so, we have "events" on the dashboard page.

What are these events? Where can I go to view them? Can they be acknowledged and deleted, or anything of that nature? I'm reading the user guide, p. 17-8, but it's pretty poor in terms of details about this and most other things for that matter.

How can I verify that our sun box is sending syslog to MARS? Are these the events?

When we added the solaris box, it and the subnet it's on showed up in the hotspot graph and full topo view...was this because of network discovery?

The full topo graph has the MARS, and the two subnets for each interface, as well as this one sun box. The sun box and the subnet it's on are on top of the MARS, how do you pull them apart so it looks cleaner?

Thanks,

Bob

3 REPLIES
Silver

Re: Events and other newbie questions

I'd be glad to help, but you have asked a question that is not easily answered via the forums. If you would like some help, you may call me at 5124394028. Thanks.

Gold

Re: Events and other newbie questions

My understanding of the general concepts is:

an event is a "message" from a reporting device. In your case, it's a syslog message from a solaris box.

a session is usually just a representation of an event. There's more to it than that, for example when NAT occurs the session may show the pre and post NAT information. Conceptually though, it's easier to just think of a session as a representation of an event and I use the terms interchangeably.

as events come in(or are retrieved), they are placed in event type buckets. this is generally called event normalization. This allows CSMARS to put messages that mean the same thing but are from different types of devices into the same event type. for example, a firewall deny message from either a checkpoint firewall or a cisco pix are put into the "Deny packet due to security policy" event type.

event types are further classified as being members of one or more event type groups. for example, the "Deny packet due to security policy" event type is part of the "FirewallPolicyViolation/ALL" event type group (as well as many others). the concept of an event type group is pretty critical. It is another layer of abstraction that allows the rules to remain somewhat static.

So, an "event type" is a collection of "events" and an "event type group" is a collection of "event types".

the default rules that ship with csmars are based entirely on event type groups (although you can add specific event types to rules).

And finally, incidents are the result of a rule firing.

If you want to verify that a reporting device is generating events in CSMARS, run an "all matching events" query for the specific device.

I don't use the topology graphs in csmars, so I have no idea how/if you can change the display.

New Member

Re: Events and other newbie questions

Thanks, that helps. The documentation on this this is poor. Your post is more informative than the manual.

115
Views
0
Helpful
3
Replies
CreatePlease to create content