cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2348
Views
0
Helpful
0
Comments
TCC_2
Level 10
Level 10

Core issue

In this issue, Cisco Security Monitoring, Analysis and Response System (CS-MARS) logs the inactive reporting device error message after you add ASA with software version 7.1 or 7.2.

This error message means that the MARS has not received syslog information from the ASA within the past one hour.

MARS technically only supports up to ASA version 7.0.1, but this probably still works with 7.1 or 7.2.  It is possible that some information version 7.1 or 7.2 sent is not parsed properly, but in that case you get a different error message, for example, something that indicates that the MARS received an unknown event type.

Refer to Supported and Interoperable Devices and Software for Cisco Security MARS Local Controller 4.2.x for more information and a full list of supported software and platforms.

Resolution

Complete these steps in order to resolve this issue:

  1. Configure the Cisco firewall device in order to accept administrative sessions from MARS to discover settings. Configure the administrative context in order to accept these sessions.
  2. Configure the Cisco firewall device in order to publish its syslog events to MARS. Configure the administrative context and each security context.
  3. Within MARS, provide the administrative connection information in order to define the Cisco firewall device.

Refer to the Bootstraping the Cisco Firewall Device section of Configuring Firewall Devices in order to configure MARS to accept syslog event data and to pull device configurations settings from a Cisco firewall device.

In order to enable administrative connections to the firewall device, choose from these options:

  • Telnet Access on a Cisco Firewall Device
       
    1. Log in to the Cisco firewall device with administrator privileges.
    2. Enter the telnet command where the interface name can be inside, outside, or DMZ.
       
  • Enable Secure Shell (SSH) Access on a Cisco Firewall Device
       
    1. Log in to the Cisco firewall device with administrator privileges.   
    2. Enter the ssh command where the interface name can be inside, outside, or DMZ.   
       
  • Send Syslog Files From Cisco Firewall Device to MARS

    When you prepare a Cisco firewall device to publish syslog messages, consider these restrictions:

  • In releases earlier than 4.2.1, do not customize the priority of any syslog messages. If you do, MARS fails to parse those messages.

  • Do not configure EMBLEM format for syslog messages. Make sure that the format EMBLEM extension is not used on this command in the configuration:
    logging host format EMBLEM

    In order to send syslog messages to the MARS Appliance, you must enable logging, select the log facility and queue size, and specify the log level to debug.
  1. Log in to the Cisco firewall device with administrator privileges.
  2. In order to enable logging, enter one of these commands:        
    • For PIX and Cisco ASA:
      logging enable
    • For FWSM:
      logging on       
  3. In order to specify the MARS Appliance as a target logging host, enter the logging host command.
  4. In order to set the log level to debug, which ensures that HTTP and FTP session logs are generated, enter the logging trap debugging command.

Refer to Configuring Firewall Devices for more information.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: