Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Custom rule on keywords from windows syslog

Hi Guys,

I have a MARS 50 that was running 4.3.2 and was recently upgraded to 4.3.6. We've been using custom rules that fire on seeing specific keywords in these events - Generic Windows system event log, Generic Windows security event log, Generic Windows application event log. All these events are from windows servers sending syslog via Snare.

The problem is I that if I query the MARS using the EXACT same criteria as the custom rule I get thousands of events for the same time period that I get a few hundred events for the custom rule.

I've made sure that my criteria for the query and the rules are exactly the same each time. I have tried making new custom rules where there was only one keyword to make sure it was very simple. I've tried disabling all custom rules so only one is on at a time. None of this has shed light on why a rule with the same criteria as a query would return maybe 10% of the results as the query. The issue existed in the old 4.3.2 code too, BTW.

I spoke to TAC about this and they are still looking into it and say it may be a new bug. It is hard for me to believe that I'm the first person that has a custom rule that alerts on a keyword in a windows syslog event.

Anyone else experience this issue?




Re: Custom rule on keywords from windows syslog

Yes, this is a bug. Custom Column Query filtered by reporting device missing results

CreatePlease login to create content