Currently we are using VMS to run daily reports on our severity high events on our IPS sensors. We are holding out on going to CSM until we get this style report moved onto our MARS appliance. Has anyone created a report in MARS for severity high events that includes, source ip and port, destination ip and port, timestamp, and event type that can be exported to csv? I tried all matching sessions with custom columns and that will output html correctly but I hit a bug when you try to output .csv. (Cisco states the bug should be fixed by year end)
I am open to any thoughts or recommendations for using MARS to generate reports to give to SOX auditors in regards to IPS events.
This shouldn't be difficult, so maybe I'm not understanding what you need. I just created a "custom columns ranked by time" report that shows only IPS red severity with csv output and it looks fine. Here is the format of my results:
hmmm...just noticed something. No event type. The CSV output has always been a little odd, because it includes different fields than the HTML output (different that what was selected too). I'll try again.
It's all coming back to me. I think there's been issues with the CSV output for a long time...I vaguely remember looking at the CSV output and thinking "hmmm, totally different columns than the HTML". I didn't care at the time because we didn't use it CSV output. feature request? yeah, okay. What kind of design results in different row-level data when switching output format from HTML to CSV? You could use the raw data if MARS didn't ALSO have a bug where it completely horked up IPS raw messages.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...