I have a Cisco MARs Local Controller running on version 6.0.8 ( 3428 ). I have configured the devices to send syslog messages to MARS, but MARS is not receiving any syslog messages and the syslog service is not running in MARS. Can anybody help on this issue?
When you say "syslog service is not running in MARS", how did you verify that? Did you run the "pnstatus" command at the CLI?
Also, you didn't mention whether you've added the devices as "reporting devices" in MARS. When they're added in MARS, it will try to connect to the devices to discover them. This might help indicate if there's a connectivity issue between MARS and the devices, which might prevents logs from being delivered as well.
I have run the pnstatus and all services are running, except syslog. I can also see a service named securesyslog, but when I am doing a port scan on the MARS IP I can't see the port 514 open. And during the discovery process MARS discovered the devices, but all the devices that I have added in MARS is shown as "Inactive CS-MARS reporting device".
Well, there's no service actually named "syslog" on a running MARS appliance. I think that incoming syslogs are handled by the "pnparser" process. You can read more details in the "MARS Initial Configuration and Upgrade Guide", under "List of Backend Services and Processes".
Can you upload the output of the pnstatus command from your appliance?
> a service named securesyslog
This is the process that handles encrypted syslogs, say for an ASA. This is essentially standard syslog, but encrypted in transport using certificates. The port for secure syslog is TCP/1470.
> doing a port scan on the MARS IP I can't see the port 514 open
That's normal. On a standard scan, the only port that will be reported "open" is TCP/22 for SSH.
*edited to change command to "pnstatus", not "pnparser", but you figured that out already
Yes, I forgot to mentioned that I have configured the logging source interface and it is matching with the Reporting IP configured in MARS. Is there any limititation for the local controller to process syslog messages? I am not having the global controller at all.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :