I am not clear on the outcome you are requesting assistance in implementing. In most instances, CS-MARS simply presents the raw syslog message as received from the reporting in the output of any query with with a result format of "All Matching Event Raw Messages".
If you are asking how to format a reporting devices syslog messages to be successfully received and parsed by CS-MARS, there are two possibilities:
- select the correct device/software details when adding the device to the CS-MARS "Security and Monitor Device List"; this ensure CS-MARS will correctly parse the received syslog message. This is covered in the Configuration Guide for CS-MARS release 6.0:
- use the Device Support Framework to create a custom parser for a device not natively supported by CS-MARS. This is covered in the User Gudie for CS-MARS release 6.0:
Thank for your user guide. May I know how to extract the detailed message (raw data) according to the incident ID?
If you click the Incident ID you should be brought to a view of the rule (at the top) that triggered the incident along with the session data (at the bottom) that matched the rule. Within this event data, you should see the name of the device that provided the event. Next to/under the device name should be an icon of a page with '0101' across it. If you click this page, a pop-up window should open that displays the raw message that was received from the reporting device.
I follow the steps on the link below:
under content: Create Device Event Types for a Custom Device Type
I still cannot see the raw data message. Do i need to map the template to the IP address for the device?
After step 9, Once the log template is defined and submitted, you must define a reporting device based on the custom device.
How to define a reporting device based on the custom device?
You need to add a reporting device to CS-MARS as usual; navigate to:
ADMIN>System Setup>Security and Monitor Devices
In the "Device Type:" drop-down list, choose your newly created custom device. If the device you created is a software-based device, you will first need to choose one of the two options "Add SW security apps on new host" or "Add SW security apps on exiting host". The full process is outlined here:
If that device is the existing device, can i create a new device with same IP and apply that template that i create to that new device?
Need your help here again. How to monitor those inactive cs-mars reporting device? Is there any function need to be activated?
As long as the devices are configured in 'Security and Monitor Devices, CS-MARS will monitor for inactivity (no events received in the previous one hour period).
The devices are configured in 'Security and Monitor Devices.If there is no events received in the previous one hour period ( The following device has not reported events to MARS in 3600 seconds.), it should not reflect as an incident. It is not considered as a problem. Am i right to say that?
CS-MARS should create a green severity incident titled,"Inactive CS-MARS
reporting device" for all configured Security and Monitor devices from
which it has not received any raw messages in the previous one hour period.
I have 1 network device which usually will trigger the red incident to the Cisco Mars. Suddenly, it doesn't send out any syslogs to Cisco Mars anymore. There is no changes on the whole network and the Cisco Mars is still able to discover this device by sending the snmp traffic. What could be the reason to cause it happen and any settings is configured wrongly on Cisco Mars?
If there are no events arriving at the CS-MARS, the issue may be with
the reporting device. You will need to confirm that the device is
sending the expected events to the CS-MARS.
This can normally be monitored from the CS-MARS CLI using tcpdump:
You should see output of events arriving from the device. If there are
no events arriving, the issue is with the reporting device. If you see
events arriving at the CS-MARS, the issue is with the CS-MARS. Further
troubleshooting would most likely require a service request be opened
To prevent the loss of configuration after rebooting the cisco mars, may i know know is there any commands to save the configuration from putty session?
There is no method to list the configuration in a human-readable format for capture in a PuTTY log session.
In CS-MARS release 6.x, you can make use of the pnexport facility to manually export the configuration (and/or data) to a NFS or SFTP server. The pnexp shell is outlined here:
It is advisable to configure data archiving on your CS-MARS. Data archiving provides protection for both the CS-MARS configuration as well as the data stored on the CS-MARS. You can read more about data archiving here:
If i don't have NFS or SFTP server, is there any ways to make sure the configuration is still there after reboot? Is there any commands like "#write me" (save configuration on cisco router and cisco switch) on Cisco Mars?
There is no equivalent on the CS-MARS to the IOS "wr mem" command. By submitting and activating changes via the CS-MARS GUI, the configuration will be stored and reloaded post-reboot.
Data archiving/exporting are available to restore to a known good point should hardware be replaced via RMA. I would recommend making the time/effort investment in establishing data archiving on your CS-MARS.
Is the anyway to download the signature update for Cisco mars from Cisco website? Do you have the link? Does it require downtime when upload the signature update to the Mars device?
You can configure CS-MARS to retrieve the IPS signature updates directly from cisco.com as outlined here:
If you want to host the IPS signature updates on your own server, you can download them here:
The same link provided above describes hosting the signature updates on a local server.
I would like to do the update from Local Server. Any ideas how to setup the local server? Do I need to setup the server with IIS (Internet Information Services) ?
You will need to setup a web server of some type, IIS is one potential option. From the previous link I provided:
"You can specify a local server using the following example https://myserver.com/cs-mars-ips.zip"
That example is from the configuration guide, it is not intended to download; it is only showing the possible URL you would configure in your CS-MARS. You need to setup all of the requisite server components within your network.
All received events are stored in the CS-MARS database.
From the CS-MARS CLI, you can check the current status of the database, as well as when data will be purged by issuing the following command
How many event logs Cisco Mars is able to capture per sec?
Under the the Mars CLI with command "diskusage", which filesystem is used to store the raw data?
File system Mount On