Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

SYSLOG managers for CS-MARS

Hi all,

I have a question about “syslog” and “cisco mars”

We have the Snare Event Reporter for sending syslog to CS-MARS, I would like to know if there is

another software compatible with the appliance ...

I know there is another similar event handler which is called "event reporter"

And I would like to confirm if this is compatible whith CS-MARS, if not please, could you tell me if there is any other software I can work with?

Thank you in advance and best regards.

2 REPLIES
New Member

Re: SYSLOG managers for CS-MARS

You can use any syslog exporter out there, but the problem is when the log is received by MARS, if MARS can parse it or not. MARS is looking for specific fields for data and if they are not there, it will just log the message as Unknown Event Type.

I had this issue when I got MARS up and running in my company. I had Datagram Syslog Agent installed on a lot of servers, which is way better than SNARE, but MARS wouldnt recognize the message. Look below for an example of a log message, one sent with Syslog Agent and the other with SNARE. After I saw the difference between the two messages, it was obvious why Syslog Agent was not working for me.

Since then, I have had to start rolling out SNARE to all my servers. Its possible to create a custom parser for MARS to accept a different format but it seemed mcuh easier to just switch over to SNARE.

Syslog Agent

12-17-2008 08:31:04 Local7.Error 127.0.0.1 Dec 17 08:31:02 x.x.x.x mysql[error] 100 C:\Program Files\Cisco Systems\Cisco IPS Manager Express\MYSQL\bin\mysqld-nt: Sort abortedFor more information, see Help and Support Center athttp://www.mysql.com.

SNARE

12-17-2008 08:29:57 Local0.Notice 127.0.0.1 Dec 17 08:29:57 x.x.x.x MSWinEventLog<009>1<009>Application<009>22<009>Wed Dec 17 08:29:52 2008<009>100<009>MySQL<009>Unknown User<009>N/A<009>Error<009>x.x.x.x<009>None<009><009>C:\Program Files\Cisco Systems\Cisco IPS Manager Express\MYSQL\bin\mysqld-nt: Sort aborted For more information, see Help and Support Center at http://www.mysql.com. <009>17

New Member

Re: SYSLOG managers for CS-MARS

It is the same problem, ok! I try to do the same!

Thanks!!!

203
Views
0
Helpful
2
Replies
CreatePlease to create content