Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
260
Views
0
Helpful
1
Replies

kiwi (not) forwarding to MARS

randytoni
Level 1
Level 1

‎03-06-2007 09:21 AM - edited ‎03-09-2019 05:32 PM

sorry I originally posted this in the IDS forum (not a good day....)

I have a Kiwi syslog server set up in MARS as a generic syslog relay.

According to the latest (Dec 06?) MARS docs, this is how the Kiwi server itself should be configured to then forward messages to MARS:

? Send with RFC 3164 header information ? Selected

? Retain the original source address of the message ? Cleared.

If I set veither (or both) of these options as outlined in the doc none of the syslog messages that arrive at Kiwi appear to get sent to / processed by MARS .

If I clear the RFC 3164 header field, and pick the option to retain the original source address, the messages show up on MARS when I query the device (i.e. the syslog relay).

I did set up the sender (a Cisco router) as a reporting device in MARS - the syslogs arrive at Kiwi, but I only see them on MARS if I do exactly the opposite of what the manual says on the Kiwi side.

?????

what am I missing? What is MARS expecting to see from Kiwi?

thanks

-randy

Labels:
0 Helpful
1 Reply 1

sbilgi
Level 5
Level 5

‎03-12-2007 11:33 AM

Send with RFC 3164 header information - Selected if the syslog server receives syslog messages directly from the source devices only. Clear if the syslog server also receives syslog messages from relays. Do not configure mixed relays.

This additional header is necessary for the supported device types that do not have HOSTNAME in the syslog messages; thereby allowing MARS to correctly identify the original sending device. However, this option cannot be used on a Kiwi relay of relay. To support a Kiwi relay of relay in MARS, the first relay must have this option selected and must receive syslog messages only from the source devices, and all other relays must have this option cleared and must only receive syslog

messages from other Kiwi relays, not directly from devices.

Refer these links:

http://www.cisco.com/en/US/products/ps6241/products_user_guide_chapter09186a008075038a.html#wp1252321

http://www.cisco.com/univercd/cc/td/doc/product/vpn/ciscosec/mars/4_2/uggc/rules.htm#wp25388

0 Helpful
Customers Also Viewed These Support Documents