I see that MARS allow you add a custom device, parse its logs and create a new event. But what about if I need to add a new event to known device ?
This a possible scenario:
I have a router 2821 with 12.4 IOS version, I register it like Cisco IOS 12.2. I want to see who and from which machine an possible attacker has just failed the access. From my router I get this logs: <188>1908: May 31 12:34:36.492: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ciccio ] [Source: 10.xx.xx.xx] [localport: xx] [Reason: Login Authentication Failed] at xxxx
MARS classified this log like "Generic IOS Syslog". So this is means this log was parsed by MARS, but MARS parsed what I need ? My answer is no! Because I cannot find a way to make a report which report me the Source address (10.xx.xx.xx) and user(ciccio). Can you confirm that ?
Now, how I can tell to MARS: "Look when you receive this kind of events, parser Sender ip, Source ip and User name? In the same way I do with custom devices.
I hope I have been clear, sorry for my English. Thank you in advence, best wishes Antonello.
You could create a report using a keyword query that searches for "SEC_LOGIN-4-LOGIN_FAILED". That report could then provide all matching raw messages which should contain the details you are interested in.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :