Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started.

New Member

CS-MARS, Symantec AV, and Servers

Hello,

I have two questions:

1. I'm quite confused in adding a Symantec AV 10.x alerts to CS-MARS. I selected the Symantec server as the computer who send SNMP trap, but the trap didn't arrive at MARS. Can someone help me to discover what's wrong with it ?

2. I also want to add a Linux e-mail server syslog messages to CS-MARS. Have someone tried it, and what kind of alerts /events that appear in MARS ?

I attached a Ethereal file that shows about the failed communication messages between the Symantec server and MARS. Hopefully it may help.

Thanks a lot for your responses.

  • Other Security Subjects
2 REPLIES
New Member

Re: CS-MARS, Symantec AV, and Servers

Concerning to SNMP Traps, Have you configured SNARE in the servers? Anyway, you'll have to be sure SNMP is up and working to get that information from the CS-MARS device. To check that, try to SNMP query the server from another platform or tool (from a laptop,p.e.)

Also, you'll have to add the AV server in the CS-MARS, configure the SNMP community and if you want to get information from Windows Server, you'll have to select what method you will use, pull or push.

Check out this and just tell me if I can help you. We've added over 10 Windows domain controllers and there's no problem with them.

Good luck!!

ps: Rate the post if it helped you. Thanks.

Gold

Re: CS-MARS, Symantec AV, and Servers

1) It sounds like you've configured Symantec to send the traps. Did you also configure the device in CSMARS? Even if you didn't, Symantec will still send SNMP traps to CSMARS if it's configured correctly (they'll show up as unknown events). Use tcpdump on csmars to see if the SNMP traps are getting to CSMARS. Something like:

[pnadmin]$ tcpdump -ieth0 udp and port 162

You'll need to be able to force messages from Symantec.

2) The same kind of [or similar] events you get from any host. failed logins, etc.

3) There are no udp SNMP traps in that trace. the trace appears to show a failed attempt by CSMARS to collect the Windows event logs from 192.168.0.39. Look at the security event log on that server to determine the cause. Unless you've specifically configured for least privilege, full administrator access is typically required to remotely pull windows event logs.

I believe the ICMP port unreachables are the result of normal Symantec discovery (do a search on Symantec and udp port 328293).

101
Views
0
Helpful
2
Replies