When we tried our MOM interagration we ran into a 512 string limitation in the MARS which makes MOM integration extremely difficult. The last I heard the fix was uncomfirmed for 08. My question is concerning syslog forwarded from an exchange server straight to MARS. Will we have the same event truncation issue if the exchange server syslogs (via Snare) are larger than 512 bytes? We already planned on doing custom parsing for those events, is their anything we can do to make it work if the events are larger than the string limit?
I was told by Cisco a long time ago that this would be fixed. Certainly 1024 bytes would have been a more appropriate limitation. I believe this is the syslog protocol max size, or it was at one time. That is the default Snare limit. They are too busy slapping in mom-and-pop features to fix the big stuff (my apologies to mom-and-pop).
Have you tried the custom parser? I've been meaning to test this but just haven't had time. I suppose it is possible that the parser works on the entire (or at least some larger piece) of the message.
We heard it was slated for 4.2 however that obviously didn't make it in :). I believe the 512 limit is an old protocol limit and several syslog implementations handle larger messages.
We have not tried the custom parser yet. However, I was told that the truncation of the message happens BEFORE parsing begins. So if we lost the important data the parsing would be useless. However, we will probably try anyway.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :