Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Silver

MARS Support for Windows 2008 Server

Does anyone have any experiences they could share regarding Win 2008 server and MARS 6.0.1?

I know it is not part of any drop down menus in MARS but am interested if we can go ahead and use the Win2003 drop down selection.

Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: MARS Support for Windows 2008 Server

Hi Paul

You can configure the MARS to pull the events directly from the Windows 200x, you don't need to install SNARE to pull the events from MARS.

Please ref. the below URL for more detail on pulling the events from window

http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/device/configuration/guide/cfgHost.html

5 REPLIES
Cisco Employee

Re: MARS Support for Windows 2008 Server

yes, you can add it as Windows 2003

Silver

Re: MARS Support for Windows 2008 Server

Hi Krishnan!

Many thanks for the answer.

The SNARE agent doesn't support Win 2008. What do you suggest for sending the logs to MARS? Are the Windows logs normalized enough for MARS to sessionize?

Thanks.

Cisco Employee

Re: MARS Support for Windows 2008 Server

Hi Paul

You can configure the MARS to pull the events directly from the Windows 200x, you don't need to install SNARE to pull the events from MARS.

Please ref. the below URL for more detail on pulling the events from window

http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/device/configuration/guide/cfgHost.html

New Member

Re: MARS Support for Windows 2008 Server

I use an application made by Datagram called Syslog Agent that works really well. I actually prefer to over SNARE. Its easy to configure and has more options, such as export text log files and configuring via the registry. The link to download is http://www.syslogserver.com/syslogagent_setup.exe. I have used this on 2008 without any issues.

Cisco Employee

Re: MARS Support for Windows 2008 Server

Hi

If windows 2008 can support the SNARE. I don't MARS have any issues normalizing it. I am not sure whether MARS parse(normalize) the events coming from windows 2008 which is coming from Agents other then SNARE.

However, if the format of event coming from the syslog Agent is same as SNARE agent, then it should parse it.

Regards

R.Krishnan

655
Views
5
Helpful
5
Replies
CreatePlease to create content