Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

MARS relay to 3rd party "collector"

We're experimenting with the option to have MARS relay certain syslogs to another box. If we do this, does this kill / bypass the local log parsing / analysis on MARS - i.e. does MARS ignore any logs that are relayed to another system?

5 REPLIES
New Member

Re: MARS relay to 3rd party "collector"

ok - I re-read the docs for 4.3 and 6.0 and it appears that the MARS box will process the logs as per usual, with some other limitations around the relay process. But if anyone cares to confirm this, thanks in advance....

Cisco Employee

Re: MARS relay to 3rd party "collector"

MARS does not ignore the logs it forwards but there are limitations to the forwarding. Watch your CPU load and be aware that it only forwards syslogs, not RDEP/SDEE IPS logs, Oracle, or RPC gathered Windows logs.

New Member

Re: MARS relay to 3rd party "collector"

rajett - thank you once again for your prompt replies - much appreciated

New Member

Re: MARS relay to 3rd party "collector"

Hello there, this is related enough to the context of your thread that I am thinking it will be alright to post here. If not, I apologize in advance. My question relates to MARS forwarding logs to a collector running syslog-ng. I am wondering if there is a way to retain the original source IP info in the syslog messages that MARS forwards to the collector? I have tested it and all logs forwarded from MARS to syslog-ng have the source address of the MARS appliance instead of the originating source of the syslog data. Is there any way around this short of having dual syslog servers configured on every Cisco syslog reporting device?

Thanks in advance!

New Member

Re: MARS relay to 3rd party "collector"

I'm sure others (rajett?) will clarify - but fwiw all I can say is that we're probably not going to use the relay feature for that exact reason. I can't see anything in the MARS configs or docs that makes this source IP preservation possible, but I could be wrong of course....

225
Views
10
Helpful
5
Replies
CreatePlease login to create content