MARS and IDSM2 logs

Hi All,
I have MARS version 6.0.3 (3188) 32, when i try to add IDSM2 to it as a device i can't find the version of the IDSM2 in the MARS.
version of IDSM2 is  7.0.4(E4).
can anyone help me in this issue please.
Thanks in advance,
Ayman

Ayman;
CS-MARS will successfully parse signature events for your IDSM-2
running 7.0 software. However, CS-MARS will have no understanding of
the global correlation details which are new to the 7.0 release. If you
wish to be able to query/report on global correlation details within
CS-MARS, you will need to upgrade.
Once you upgrade, you can simply select the IDSM-2 in the 'Security
and Monitor Devices' list and click the "Change Version" button.
Scott

Similar Messages

  • MARS and windows log timestamps

    MARS 4.3.3 (2636) pulling logs off a windows 2003 server at 1 hour intervals. The MARS events seem to get timestamped in "clumps" at about 2-hour intervals e.g. 3000 events all timestamped within about a minute of 2:00, then nothing for a couple hours, then another 3 or 4000 events all timestamped within a minute or 2 of 4:00, etc. etc.
    the logs on the windows box are all spread out across these "dead intervals" as expected - so it appears MARS is pulling the log and screwing up all the timestamps on the individual events as it parses them.
    any help appreciated - thanks
    -randy

    reply from Cisco indicates that the log pull should be parsing the windows event timestamp info and applying to MARS events as they're generated.
    i replied that this isn't the observed behavior here.
    only other scenario (suggested) is that the MARS box is busy (from other work, windows pulls, etc.) and possibly has intermittent problems logging into this windows box at certain intervals, somehow screwing up the events on MARS. but I don't see any 'winpull" type errors in the backend log at all. Another suggestion is related to the time sync on the boxes - apparently if they're off then log data can get fubar'd. But none of this seems to apply here or correlate (pardon the pun) with what's going on. Still confused.
    Anyway, i'm going to try to migrate to push agent asap - meanwhile any other hints or suggestions appreciated - will see if TAC comes back with anything more

  • CS-MARS and WCS logs

    Currently I'm implementing a CS-MARS solution where the first task is to get it successfully monitoring our logging from WCS. Unfortuantely MARS doesn't support WCS and requires a custom parser to be built so that it understands the logs.
    I was wondering if anyone had done this yet. I'm having some trouble getting information on all of the logs from WCS to create an proper parser for it in MARS.

    The problems arise from Cisco not actually making all these products but rather purchasing companies. So these aren't really Cisco's products!!! They are products other company made and Cisco just bought their companies. So, they are frequently left with making different products from different acquisitions work together.
    In this case Mars came from the Protego acquisition, while WCS came from the Airespace acquisition.
    In all they do a very good job of this process, and in the past their have been many cases where Cisco has taken a few quarters after the acquisitions to get it all working smoothly.
    such as in
    Catalyst Switches -> cisco IP Phones
    Cisco Pix FW -> VPN Concentrator Tunnels
    VPN Concentrator -> Tacacs Server
    In the mean time just explain what I said to your boss, and he'll understand.
    -Joe

  • MARS and Check Point Firewall Logging

    Hi,
    I have added my Check Point CMA object to MARS, but am not getting seeing any log information.  My CLM is a separate server (child enforcement module), which is discovered OK when the intial CMA discovery takes place in MARS.  I have configured the Log Info settings for the CLM entry in MARS with the SIC details for the Check Point MARS and CLM objects.
    I've created a simple query to gather outbound ftp data (for which there is lots) and I am seeing nothing when running this query in MARS.  The associated CLM log shows plenty of entries.  I am keen to be able to get some historical logging data via MARS, so any help to resolve this issue would be appreciated.
    Many thanks
    Liam

    Liam;
      CS-MARS<>Check Point integration can be very tricky and is very dependent on the versions of software involved.  You may be able to find out some additional insight into the process by raising the CS-MARS logging level for Check Point and monitoring the output.  This is accomplished from the CS-MARS CLI:
    [pnadmin]$ pnlog setlevel cpdebug
    You can then view the messages via the CLI as well:
    [pnadmin]$ pnlog show cpdebug
      If this does not shed any light on the communication between CS-MARS and the Check Point devices, it would be best to open a service request with TAC to further troubleshooting can be performed.
    Scott

  • MARS and Tippingpoint

    I would like to know if we can customize CS MARS to receive and understand logs from Tippingpoint IPS.
    I would like create a drop rule or customized rule that says that anything followed by the event "dropped package by IPS" is system determined false positive or just drop it to reduce false positives.Is this possible and please correct me if the idea is correct because according to below link, when Cisco IPS and CS MARS integrate, it identifies all dropped packages by IPS as false positive incident and i think that will decrease the number of incidents considering the number of blocked traffic by Tippingpoint IPS?!
    http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/SAFE_RG/chap11.html
    Thank you

    Nora;
      Through the use of the Device Support Framework, CS-MARS can be configured to parse events received from devices not natively supported and can send their events via syslog or SNMP trap.  You can read more about creating custom devices here:
    http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/user/guide/combo/cfgCustm.html
      System defined false positives cannot be defined by you, the CS-MARS makes this decision based on data it has accumlated in regard to a firing incident.  You can create a drop rule, which would allow you to configure CS-MARS to not create an incident when certain criteria are met (source IP, destination IP, event, etc) or completely ingnore the event and not log it to the CS-MARS database.  You can read more about CS-MARS rules here:
    http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/user/guide/combo/rules.html
    Scott

  • Mars and accessibility

    I'm working in the field of accessibility for the past years,
    I recently tried the new MARS plugin on Adobe 8 Professional and I
    become very curious about future prospects in Adobe for Mars
    format.
    Will accessibility in PDF be redirected to MARS? Will Adobe
    Reader include the option to read .mars files by default?
    I think that nobody talks about mars and it could be a
    really interesting issue in this field.
    I asked Duff Johnsonn on the subject and he redirected me to
    Adobe, as he thinks Mars and accessibility would be a promising
    issue.
    Thanks in advance for your attention,
    Mireia Ribera
    Universitat de Barcelona. Departament Biblioteconomia i
    Documentació
    http://bd.ub.es/pub/ribera

    Hello Alexander
    Since MARS is going away in a while, you won't find that many device updates,even the latest release does not support NAC 4.8.x (officially).
    http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.1/compatibility/local_controller/dtlc6x.html
    However you can always add a NAC  4.8.x box as whatever is supported in the GUI and MARS would work in backwards compatible mode ignoring the  log messages introducted in the newer releases.
    Regards
    Farrukh

  • Mars and NAC 4.8

    Hello, i am deploying CS-MARS and i have i problem, i cant add Cisco Network Access Control in the MARS to the controleld devices
    There is just 4.1 versions.
    Is it support 4.8?
    Thanks in advance
    A.Black

    Hello Alexander
    Since MARS is going away in a while, you won't find that many device updates,even the latest release does not support NAC 4.8.x (officially).
    http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.1/compatibility/local_controller/dtlc6x.html
    However you can always add a NAC  4.8.x box as whatever is supported in the GUI and MARS would work in backwards compatible mode ignoring the  log messages introducted in the newer releases.
    Regards
    Farrukh

  • [svn:osmf:] 14976: Clean up and expose logging API.

    Revision: 14976
    Revision: 14976
    Author:   [email protected]
    Date:     2010-03-23 17:21:14 -0700 (Tue, 23 Mar 2010)
    Log Message:
    Clean up and expose logging API.
    Modified Paths:
        osmf/trunk/apps/samples/framework/SampleLoggers/org/osmf/logging/flex/FlexLogWrapper.as
        osmf/trunk/apps/samples/framework/SampleLoggers/org/osmf/logging/flex/FlexLoggerWrapper.a s
        osmf/trunk/framework/OSMF/org/osmf/logging/ILogger.as
        osmf/trunk/framework/OSMF/org/osmf/logging/ILoggerFactory.as
        osmf/trunk/framework/OSMF/org/osmf/logging/Log.as
        osmf/trunk/framework/OSMF/org/osmf/logging/TraceLogger.as
        osmf/trunk/framework/OSMF/org/osmf/logging/TraceLoggerFactory.as

    a) You can use
    handler = new FileHandler(Constant.LOGFILE, true);
    Check the Javadoc please...
    b) you can configure the property "java.util.logging.FileHandler.append" to "true" (again, check the javadoc of java.util.logging.FileHandler)

  • CS MARS and CSA

    If we have both CS MARS and CSA to monitor network devices, and we have all servers send logs to CSA only and then CSA send logs to CS MARS, is that going to affect the result of vulnerability scanning done by CS MARS on servers as in order for CS MARS to recognise that the incident is system determind false positive. therefore, will adding servers in CSA only not allow CS MARS to directly perform vulnerability scanning on servers or will it do it through CSA?
    Thank you

    Hello Nora
    This would depend on your requirements. As you know MARS has a built-in Nessus Scanner that does 'dynamic vuln scanning' to know more about the OS/services running on hosts; this helps in reducing false positives. Adding the CSA MC to MARS can give similar information and you may optionally exclude the server subnets (with CSA) from the dynamic vuln. scanning range in MARS.
    However there is another aspect to this, lets say you want to monitor all authentication attempts to Apache (and assuming these event types are supported in MARS). This information would come through raw syslogs which could be queried later. If you don't add the Apache server in MARS (as a monitored device), CSA might not send these message to you as it might not have any rules related to these events...I hope you get my point. So in some cases you would need both in others only adding the CSA-MC could suffice.
    Regards
    Farrukh

  • Log messages for 'auditing' are different in 'general'  and'application log

    Hi,
    From UI, When I audit a file using a profile which comprises of user-defined 'rules/categories/analyzers', I will get log messages at ''File-name(Application) log window' and 'Messages' log window, which are located at bottom of Jdev UI page. One common message in both the log windows is
    " <n1> violations, <n2> exceptions, <n3> documents, <n4> seconds>.
    But here the 'n1,n2,...' numbers are dfferent in two windows though the log output is for a same file. In this the 'file-name' log shows the correct
    Example:-
    In 'file-name' log window ,it shows as:
    3 documents, 8 violations, no exceptions
    In messages window, it shows as
    "Audit starting on EFC.jpr (Default)
    Audit completed: no violations, no exceptions, 3 documents, 1 second"
    If I use the 'pre-existed'(Jdev's) rules profile, I will get similar output in both log windows.
    From this I concluded that there is something missing to register for a new 'rule/category/analyzer'.
    Could you suggest me in this case. Do I forgot anything to do in any files of '<rule-implementation.java>', 'audit.properties', <add-in launcher>.java, extension.xml.
    Actually, I want to use 'ojaudit' executable from command line to my project files. Here I observed that the output of the 'ojaudit' is similar to the above explained 'Message' log window in JDeveloper UI. But where the 'Message' log window output is not correct for user-defined rules.
    Regards
    Madhu

    Romano,
    In the upcoming production release (planned to be released next week), we added caching of authorized roles and permissions in JhsAuthorizationProxy class.
    I suggest you wait for this relase, if the problem persists, it is most likely an ADF issue (as is the logging)
    Steven Davelaar,
    JHeadstart team.

  • Blackberry 8310 Curve randomly deletes text/sms messages and phone logs

    Why does this keep happening to me?
    There are times that my phone goes over a week without it happening and then there are times like today it has happened three times.
    I will have maybe 5 ot 6 text messages in my inbox and maybe 2 or 3 emails and I get a phone call and POOF the text messages and phone logs are gone!
    I have repeatedly lost important text messages and numbers from my call log.
    The tech support excuse for it is that I have too many messages in my inbox which causes it, but 6 sms messages and 3 emails is too much?
    I have tried everything (updating the desktop software, updating all of the settings NOT to delete messages until i delete them, hard booting my phone once a day, etc..) and it still does it.
    This also used to happen with my Blackberry Pearl.
    If I can't get it resolved, I will just switch to the iPhone.  I can deal with the randomly dropped calls, but constantly loosing my call logs and text messages is BEYOND frustrating and Blackberry tech support has been no help!.
    Solved!
    Go to Solution.

    DCmuseum,
    Hi,
    You have low free memory left on your device.
    Do you have a lot of third party applications on your BB weather, icall,bbalerts etc?
    I do not know your experience level, so if you know this I'm sorry but please read and let me
    know if this applies.
    Most people close the applications by pressing the escape or red key. This does not close the applications.
    Each application has a CLOSE option. For instance if you are in the calendar hit the menu key (spotted key) and scroll down to the bottom CLOSE is listed. Go through each application and press close. Go into the browser press menu and options select cache operations clear all categories and hit escape it will say cleaning memory.
    Go to options - security - memory cleaning - enable it. The BB will now clean memory when idle for 5 minutes.
    you will have an icon on you screen for memory cleaning make sure you press it. Make sure you use the CLOSE button each time you are done with an application.
    Read the link below and follow each step that Tanzim outlines,
    http://supportforums.blackberry.com/rim/board/message?board.id=8300&message.id=9225#M9225
    If you follow these steps and keep up with your memory your phone will operate smoothly.
    Please let us know if you need help with any of the steps.
    Thanks
    Message Edited by Bifocals on 09-07-2008 11:58 AM
    Click Accept as Solution for posts that have solved your issue(s)!
    Be sure to click Like! for those who have helped you.
    Install BlackBerry Protect it's a free application designed to help find your lost BlackBerry smartphone, and keep the information on it secure.

  • HT5625 apple id problems with apple id and icloud log on

    hi all you dudes out there?
    i am having problems with my log on to itunes and icloud?
    really thye problem began some time ago when i got an upgrade from iphone 3s to iphone 4s, i kept my old iphone as a second phone then gave the old one to my mrs?
    the problem is when i send a message to anyone the wife gets it on hers too? and vice versa? i have now desected/romoved the old iphone 3s from my apple account but its still happening? on removing the old iphone i got an icloud log on with new passwords and i changed the email on record for itunes and apple log on as my emial address had changed due to a new broardband supplier so the old one became usless to me so i changed it all?
    now the aqpple id still comes up as the log on id for itunes and icloud and i cant seem to rectify this even though i have changed all the details around to the new log on id`s ???and i still get her messages and her mine??? its driving me potty? i mean when you change the id surly apple should wipe the old log on? apparently not so if i try to log on with the old details it wont let me on? now i cant buy music or anything else?
    has anyone got any answers so i can retify the log on and stop messages going to my phone from the wifes and mine to hers? like if i text her i get the message on both my own and to hers ???
    i would say niether of us could cheat cos we get each others messages
    any help would be greatly appreciated believe me! thankyou all in advance! herrline or Graham!

    hi guys and gals an update to the above question?
    the settings for icloud still has my old email address which i deleted from itune and apple? so maybe this is why i cant get on to itunes etc But? i cant change or delete from my iphone icloud account so i can reset it with out logging in with the old details which are no longer on itunes or apple system so im compleatetly stuck?
    aaaarrhhhhh? herrline or Graham.
    on the godd side the problem with the texting seems to have rectified after i followed the info from the right hand side other questions like "my wifes iphone thinks its the same as mine"? its now not messageing mine when i send messages so i hope when she sends messages i wont get her either?

  • I have installed the agent 10 or 15 times and one installation hasfailed, no error appeared during the installation but I am havinginconsistent issues with my ethernet card not working here and there. Werebooted and can log into Novell client but th

    I have installed the agent 10 or 15 times and one installation has failed, no error appeared during the installation but I am having inconsistent issues with my ethernet card not working here and there. We rebooted and can log into Novell client but the login prompt did not appear for ESM client or the icon was not in the systray. Everything seems to work, besides at times (a couple times today) it terminates his ethernet card/connection. I would re-image his computer but he has several applications and it would take several hours, so I am hoping someone has an idea to fix this issue. So I was trying to figure out why he did not get the prompt to login and why it's not in the systray and it appears to not have completed the install? I checked the add/remove programs, its not listed within their, I also checked the registry and found nothing for endpoint within their, but the files are within c:\program files\novell\zenworks endpoint security.
    I have also tried uninstalling it but that fails due to it "not being installed", and it will not reinstall over itself either.
    I did notice that stuninstdrv.exe is running in task manager. Any help would be great...
    Windows xp sp3
    ESM 3.5.154
    Thanks,
    Andy

    If you are searching the registry, check for the "Senforce" string. It should be at HKLM\Software\Senforce
    Try running the install program for the ZSC with the following command line:
    setup.exe /V"STUNINSTALL=1"
    If you've specified an uninstall password, try this one instead:
    setup.exe /V"STUNINSTALL=1 STUIP=password"" (please note the double quote at the end)
    Let me know if that helped you.
    Daniel
    >>>
    From: Andy_DeWees<[email protected] du>
    To:novell.support.zenworks.endpoint-security-management
    Date: 2/5/2009 12:52 PM
    Subject: I have installed the agent 10 or 15 times and one installation hasfailed, no error appeared during the installation but I am havinginconsistent issues with my ethernet card not working here and there. Werebooted and can log into Novell client but the login prompt did not appearfor ESM client or the icon was not in the systray. Everything seems towork, besides at times (a couple times today) it terminates his ethernetcard/connection. I would re-image his computer but he has severalapplications and
    I have installed the agent 10 or 15 times and one installation has failed, no error appeared during the installation but I am having inconsistent issues with my ethernet card not working here and there. We rebooted and can log into Novell client but the login prompt did not appear for ESM client or the icon was not in the systray. Everything seems to work, besides at times (a couple times today) it terminates his ethernet card/connection. I would re-image his computer but he has several applications and it would take several hours, so I am hoping someone has an idea to fix this issue. So I was trying to figure out why he did not get the prompt to login and why it's not in the systray and it appears to not have completed the install? I checked the add/remove programs, its not listed within their, I also checked the registry and found nothing for endpoint within their, but the files are within c:\program files\novell\zenworks endpoint security.
    I have also tried uninstalling it but that fails due to it "not being installed", and it will not reinstall over itself either.
    I did notice that stuninstdrv.exe is running in task manager. Any help would be great...
    Windows xp sp3
    ESM 3.5.154
    Thanks,
    Andy

  • HT4865 I just bought this ipad and cannot log out from icloud because i dont have the password.how can i log out from icloud?need help

    I just bought this ipad and cannot log out from icloud because i dont have the password.how can i log out from icloud?need help

    You need to return it to the seller and get your money back.  You cannot reset or use the device with another AppleID installed unless you know the password for that ID.
    If the device has been jailbroken, no one on here can give you any further help...the Terms of Use prohibit us from doing so.

  • I show and old defunct email address for my Apple ID on my APP store, iCloud, and iTune accounts and cannot log in.  I am told my ID or password is incorrect.  I did change my primary email address.  that is the app ID that is showing.

    How do I rename my App Store, iCloud, and iTunes accounts so i can update apps and software?  I have closed the original email address i started my App Store, icloud, and iTunes account and cannot log in unders that Apple ID.  I have tried going through device and my MacBook Air.  Where can i get on-line assistance?

    If you mean you are trying to delete your iCloud account in iOS 7 and you don't know the passwod for the old ID, do one of the following:
    If you still have access to your old email address, go to https//appleid.apple.com, click Manage my Apple ID and sign in with your iCloud ID.  Tap edit next to the primary email account, tap Edit, change it back to your old email account and verify it.  Then edit the name of the account to change it back to your old email address.  You should then be able to turn off Find My iPhone with your password. Then go to Settings>iCloud, tap Delete Account and choose Delete from My iDevice when prompted (your iCloud data will still be in iCloud).  Next, go back and change your primary email address and iCloud ID back to the way it was.  You will then be able to go to Settings>iCloud and sign in with your current ID and password to reconnect to your iCloud account.
    If you don't have access to your old email address, you will have to contact Apple to get them to reset the password for it so you can disable Find My iPhone and sign into your iCloud account.  You will have to prove your identity to them in order to do so.  You can either contact iTunes support for assistance with this (https://ssl.apple.com/emea/support/itunes/contact.html), or contact Apple Support (http://www.apple.com/support/icloud/contact/).

Maybe you are looking for

  • Upload a set of files from presentation server to app server.

    Hello, I need an urgent help. I know how to use GUI_UPLOAD fm for simple file uploading. However, my requirement is that in my report program(on selection screen) I give the source directory(presentation server) and the target directory (application

  • Can't Access A Class

    Hello everyone...i have a program that's composed of a html,jsp and a .java page...i use bean....i have reversed engineer this system i got it is a forum site made of jsp and javabeans...my problem is that it can't reach the class from a .java file..

  • IPhone 6 not updating to iOs 8.3 either on phone or itunes

    I have tried several times to update my iPhone 6, both via the phone and iTunes, but it never completes. On the phone I get to the agree to terms press it and then nothing happens it remains in the terms and conditions! On iTunes it commences to down

  • Sound package n mp3...

    can i use methods provided by sound package to play mp3 files... if not then what all files can i play using sound package... can i use JMF for playing all sort of music files... ??

  • Blank / Empty emails in mail.app

    Hi, sometimes I get an email that looks empty/blank. No header, no budy, nothing. If I drag that mail to my desktop and open it with textedit I'm able to see the content. Using a web interface of my email hoster brings the message up without any prob