Hello. Maybe I am missing something, but is there a way to collect and parse logs (specifically security auditing - logins, etc...) from MS SQL server in MARS? I see that there 'may' be a snare agent for MS SQL, but I don't know if MARS would recognize the events without a custom parser. Any ideas?
You can collect them, but I don't believe they will be parsed correctly. They [the logins at least] are logged to the application event log. The last time I tested MARS, you COULD NOT configure a reporting device as a Windows host AND custom parse messages. Having them is a good first step I guess. It would be really nice to be able to extend MAR's parsing with custom parsing though. I *think* the next major version of MARS is supposed to fix this somehow.
Thank you for your response. I didn't even think about the fact that I probably can't just 'add' to the host (Windows 2003 server) 'and' create a custom parser for the SQL entries. I am sure that this is still the case. I really hope that this is improved in 6.x.
OK. I just got in this morning and build a 'test' custom parser. I appears that if I make this a software application, I can apply it to my previously defined Windows server and tell it that it will be receiving the information to be parsed via syslog. Does anyone have any experience doing this for SQL Server?
while you can do that, I don't think it will work. At least it didn't work when I tried. As I recall, the problem is that the windows parser has a "catch-all" parser that maps to "generic windows event". This parser is applied before your custom parser.
OK. I've been trying everything to see if I can get something to work here, but to no avail. It definitely reports it as a 'general windows application log' entry instead of running it through the custom parser. Every attempt to get any assistance through TAC (wondering about the order the devices were processed) yielded 'It is not supported'. Anyway, thank you very much for your input on this and unfortunately, I was not successful.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :