Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Streaming Logs from CS-MARS

I have a client that desires to stream the raw logs collected by CS-MARS out to another SEM system. I have reviewed the documentation and have found no reference to this functionality. I see that you can send alerts per rule to a 3rd party device, but that is "Alerts" not the raw logs. If anyoneif this is possible I would appreciate your help.

2 REPLIES
Bronze

Re: Streaming Logs from CS-MARS

This functionality does not yet exist. The only way to do this would be to use the XML export function added during 4.2.1. This e-mails an XML attachment to a user. I wrote a script to parse a POP3 inbox and download the attachments, parse the XML, and then generate an e-mail with detailed incident information. Part of the XML file does have the raw message in it. You could take this same premise and create a parser to export incidents to another system. Hope this helps.

-Mike

http://cs-mars.blogspot.com

Gold

Re: Streaming Logs from CS-MARS

Are we only talking about syslogs?

Perhaps you could send it to the other SEM first, then onto CSMARS. In 4.2.1, some support for aggregated syslogs was added. Haven't used it though, so YMMV. You might also consider using something like linux/iptables and the ROUTE module to copy the packets to a different destination: (http://www.netfilter.org/projects/patch-o-matic/pom-extra.html#pom-extra-ROUTE)

100
Views
4
Helpful
2
Replies