Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Mars add a custom event to known device

Hello,

I see that MARS allow you add a custom device, parse its logs and create a new event. But what about if I need to add a new event to known device ?

This a possible scenario:

I have a router 2821 with 12.4 IOS version, I register it like Cisco IOS 12.2. I want to see who and from which machine an possible attacker has just failed the access.
From my router I get this logs:
<188>1908: May 31 12:34:36.492: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ciccio ] [Source: 10.xx.xx.xx] [localport: xx] [Reason: Login Authentication Failed] at xxxx

MARS classified this log like "Generic IOS Syslog". So this is means this log was parsed by MARS, but MARS parsed what I need ? My answer is no! Because I cannot find a way to make a report which report me the Source address (10.xx.xx.xx) and user(ciccio). Can you confirm that ?

Now, how I can tell to MARS: "Look when you receive this kind of events, parser Sender ip, Source ip and User name? In the same way I do with custom devices.

I hope I have been clear, sorry for my English.
Thank you in advence, best wishes Antonello.

1 REPLY
Cisco Employee

Re: Mars add a custom event to known device

Anotonello;

  CS-MARS release 6.0 allows for extending an existing device parser with your own event types.  You can find out more here:

http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/user/guide/combo/cfgCustm.html

  You could create a report using a keyword query that searches for "SEC_LOGIN-4-LOGIN_FAILED".  That report could then provide all matching raw messages which should contain the details you are interested in.

Scott

392
Views
0
Helpful
1
Replies
CreatePlease login to create content