cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
782
Views
0
Helpful
1
Replies

Mars add a custom event to known device

Hello,

I see that MARS allow you add a custom device, parse its logs and create a new event. But what about if I need to add a new event to known device ?

This a possible scenario:

I have a router 2821 with 12.4 IOS version, I register it like Cisco IOS 12.2. I want to see who and from which machine an possible attacker has just failed the access.
From my router I get this logs:
<188>1908: May 31 12:34:36.492: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ciccio ] [Source: 10.xx.xx.xx] [localport: xx] [Reason: Login Authentication Failed] at xxxx

MARS classified this log like "Generic IOS Syslog". So this is means this log was parsed by MARS, but MARS parsed what I need ? My answer is no! Because I cannot find a way to make a report which report me the Source address (10.xx.xx.xx) and user(ciccio). Can you confirm that ?

Now, how I can tell to MARS: "Look when you receive this kind of events, parser Sender ip, Source ip and User name? In the same way I do with custom devices.

I hope I have been clear, sorry for my English.
Thank you in advence, best wishes Antonello.

1 Reply 1

Scott Fringer
Cisco Employee
Cisco Employee

Anotonello;

  CS-MARS release 6.0 allows for extending an existing device parser with your own event types.  You can find out more here:

http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/user/guide/combo/cfgCustm.html

  You could create a report using a keyword query that searches for "SEC_LOGIN-4-LOGIN_FAILED".  That report could then provide all matching raw messages which should contain the details you are interested in.

Scott

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: