what sort of reports are you looking for? There are multiple built-in reports to be used, however you can create your own reports to view the events/sessions/incidents. Along with that, you have an option to view the raw events filtered by time/log level from Admin->view backend log.
Thirdly, you can also check in each incident/session the raw events that caused that session/incident by clicking the 0101 box right after the reporting device.
If you could mention the requirements precisely, may be some one could help you accordingly..
OK, I have my sendmail cluster piping syslog to MARS, my Exchange server configured in MARS and our Barracuda Spam Firewall also piping syslog.
The boss calls and says he is missing a very important E-mail that he should have received already. He gives me the E-mail address the message is coming from and about the time he exprected it.
Typically I follow the flow of mail through the servers one at a time looking for it. That means I would in the worst case, log into 4 separate servers to track the message through the system. Not to mention the many times I have to run the searches through syslogs from log file rotation too.
One goal we hoped to accomplish with the centralized logging was to make one place to go do this search as well as any others that would require sifting through syslog data. This scenario I described above happens every day with the size of our organization, and the centralized logging device can easily pay for itself with saving time if this is possible.
Any takers? :-)
Of course I could be asking too much of the MARS product or anything like it. This is my first experience with seriously looking to purchase this type of product for our company.
I also welcome those responses too.
I forgot to mention too that it would be nice to run graphical reports specifically about the amount and sources of E-mail by IP or sender domain. How much the Barracuda deals with one particular domain over another, but beyond the "top-n" type reporting it does.
E-mail flow and details is but one example of what I'm trying to figure out. I don't know about anyone else, but it is also frustrating to know that the MARS box is receiving the Netflow details from my key devices, and I have no way to drill down to details of that information either. At least none that I have found yet. I have only had the MARS box demo for about a week and a half.
Considering my non-experience with mail servers, i would only be able to refer you to some information that might need some testing. You know the main concept behind the analysis is, that, rules are triggered based on the events that are received to MARS in the form of syslog. First of all, you need to filter out the events that are relevant to your situation. I could not see Microsoft Exchange specifically as part of the monitored/reporting device in v 4.3, but i guess a feature of adding your own events in v 6.0 allows you to create customized rules based on your own defined events. Here is the statement from gerry (expert on MARS) on his ask the expert forum...
A new feature coming in 6.0 is the ability to modify/add/delete events and event types on supported devices. Additionally, you'll have the ability to share custom parsers that are created by users, partners, etc.
If Exchange is not there as supported device, you can create or get custom parser from internet for exchange, i am sure some one must have done some thing about it.
Alternatively, you can use also snare for collection of events from your servers and either use snare for viewing purposes or you could also send the logs from snare to MARS for more precise analysis purposes.
Apart from your this scenario, there are multiple useful rules subject to windows & web servers. Again, in Management->Event Management, you can filter events by "Device Event ID", could pick the interested events, and then could create custom rules to get triggered for those particular events only.
My Cisco people finally got back to me with an option for the syslog parsing. The interface is clearly not designed for this purpose if you have to do many different queries, it's more designed to save recurring reporting.
Here was their solution in case anyone needs it.
Go to the query section
Click edit near "query type":
Change the results format in the dropdown to "All matching even Raw messages" (near the bottom) change the timeframe of the query Click Apply
Then go into the keyword query by clicking the "any" under they keyword column and put something like firstname.lastname@example.org or bob@* or whatevery you may be looking for.
Then either run the query or select "Save as a report" if you want to run it frequently.
This worked for finding my information, but didn't really help with summarizing or showing any pretty graphs like you may want to show someone on a regular basis. I played with the different report types, but they all return a lot of data in the MARS display. I was thikning I would have to make them CSV reports and then import them into some other pretty log display program like webalizer or something.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...