SYSLOG managers for CS-MARS

Similar Messages

• ISE offloading syslogs real time to MARS

  I am working on my implementation of ISE and I want to offload real time logs from ISE to MARS.  Is this possible and is there anything special that is needed to perform this?                  

  To collect logs externally, you configure external syslog servers, called targets.Logging targets are locations where the system logs are collected. In Cisco ISE, targets refer to the IP addresses of the servers that collect and store logs. You can generate and store logs locally, or you can FTP them to an external server. Cisco ISE has the following default targets, which are dynamically configured in the loopback addresses of the local system:
  •LogCollector—Default syslog target for the Log Collector.
  •ProfilerRadiusProbe—Default syslog target for the Profiler Radius Probe.
  To create an external logging target, complete the following steps:
  Step 1 From the ISE Administration Interface, choose Administration > System > Logging > Remote Logging Targets.
  The Remote Logging Targets page appears.
  Click Add.
  Step 2 The Log Collector page appears.
  Step 3 Configure the following fields:
  a. Name—Enter the name of the new target.
  b. Target Type—By default it is set to Syslog. The value of this field cannot be changed.
  c. Description— Enter a brief description of the new target.
  d. IP Address—Enter the IP address of the destination machine where you want to store the logs.
  e. Port—Enter the port number of the destination machine.
  f. Facility Code—Choose the syslog facility code to be used for logging. Valid options are Local0 through Local7.
  g. Maximum Length— Enter the maximum length of the remote log target messages. Valid options are from 200 to 1024 bytes.
  Step 4 Click Save.

• Syslog Forwarding in CS-MARS

  Hey all,
  Is their any documentation on configuring this? I dont see it on the User Guide For CS-MARS Local Controller. I have read this "Syslog Forwarding support in Cisco Security MARS will allow Cisco Security MARS to forward syslog messages it receives from syslog sources to another syslog receiver" But I cant find out how to do this.

  This is documented on the following link, but you cannot do this on the web-interface, you have to login via console/ssh:
  http://cio.cisco.com/univercd/cc/td/doc/product/vpn/ciscosec/mars/4_3/uglc/cfgover.htm#wp1300778
  Regards
  Farrukh

• Work Managers for SOA composites

  Hi All,
  We have couple composites which needs to be deployed on Oracle SOA 11g, weblogic as platform. My question is can we set work managers for different composites like we generally set dispatch policy for proxy services in OSB. Please let me know.
  Regards.

  Hi
  I don't believe you set workmanagers on a composite by composite basis but it may be possible to setup new application scoped work managers in Weblogic although I have never tried this...
  Damien

• ACE Syslog message for State change

  Hi,
  Is there a syslog message for a state-change for rservers, if so how could we enable this?
  e.g. when probe fails state changes to 'probe-failed'
  when all probes are successful state is 'operational'
  Thank you
  Bilal

  Hi,
  There is a syslog message something like below:
  %ACE-3-251006: Health probe failed for server 10.80.10.10 on port 80 internal error: failed to setup a socket.
  First enable logging on ACE.
  ACE/Admin(config)# logging enable
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/configuration/system/message/guide/config.html#wp1063750
  read the section:  Specifying Syslog Output Locations
  logging buffered 3 should generate syslog in event of probe failure.
  You can also set snmp to monitor it.
  cesRealServerStateChange
  CISCO-ENHANCED-
  SLB-MIB
  State of a real server configured in a server farm changed to a new  state as a result of something other than a user intervention. This  notification is sent for situations such as ARP failures, probe  failures, and so on.
  Hope that helps.
  regards,
  Ajay Kumar

• Standard bapi to fetch the line managers for particular User

  Hi,
  Is there any BAPI to fetch the Line Managers for particular user. If so could any one help me out with the same.
  Regards,
  Ram

  Hi Ram
  Please check
  SWX_GET_MANAGER 
  HRCM_ORGUNIT_MANAGER_GET
  Check the following thread
  Function module to get Manager
  Regards,
  Arun

• Syslog massage for copy running-config

  Hello,
  i have syslog server and i want to receive syslog message that say "config saved" from the switch/router.
  i cant find any log message that syslog generate for the copy command.
  can i achieve this with EEM ?
  i need this for NX-OS and regular IOS.
  Thanks.

  Hello Ricarte,
  Not sure I follow your question but let me explain something:
  can i copy running-config to another file in the flash, do testing on it, if something goes wrong, put it back.  like...
  asa>copy running-config my-config
  Yes, it is possible
  copy my-config running-config
  This will do a merge of both the file my-config and the running-config.. It will be a merge.
  A merge adds any new commands from the new configuration to the running configuration. If the configurations are the same, no changes occur. If commands conflict or if commands affect the running of the context, then the effect of the merge depends on the command. You might get errors, or you might have unexpected results.

• Syslog support for IPS SSM 10

  Hi,
  I am new to IPS SSM 10. i've few questions:
  1.Do we have any kind of syslogs logs for IPS SSM 10? basically i want to know what kind of attacks, intrusion & DoS has happened.
  2.Can we update the Signature automatically thru Cisco site?

  The AIP-SSM does not support syslog as an alert format.
  The default method to receive alert information from the AIP-SSM is through Security Device Event Exchange (SDEE). Another option is to configure individual signatures in order to generate a SNMP trap as an action to take when they are triggered.

• Syslog server for Monitoring Cisco devices

  I am looking for Syslog server to log all logs from Cisco devices. We have more than 800 cisco devices. Can anyone tell me what syslog server should i use to log these files.
  Thank you.

  Has anyone used the Cisco recommendation of Buliding Scalable Syslog Solutions?
  http://www.cisco.com/en/US/technologies/collateral/tk869/tk769/white_paper_c11-557812.html#wp9000318
  I used this in another organaztion and we were very successful, we currenlty use Netcool that feeds from a syslog and we get several non-actionable alarms and it's very time consuming for 13,000 devices.  I would only like to alert on 0-5 Cisco Syslog messages.  Below is the response from my Netcool Administrator (What are your thoughts?):
  From my Netcool Administrator:
  Regarding, using the Cisco syslog severity for alert control, I feel that is not the best way to control the work in Netcool.
  1. -- Cisco is not consistent with the use of this value.
      Examples:
          In this case the important message is the lower severity alert: I would consider the BGP-3-NOTIFICATION of a 6 level of Informational
          Aug  4 03:10:01 rtgara02r01m04-lb0.us.bank-dns.com 001458: Aug  4 03:10:01: %BGP-5-ADJCHANGE: neighbor 10.93.69.106 Down BGP Notification sent
          Aug  4 03:10:02 rtgara02r01m04-lb0.us.bank-dns.com 001459: Aug  4 03:10:01: %BGP-3-NOTIFICATION: sent to neighbor 10.93.69.106 4/0 (hold time expired) 0 bytes   
          This one is near the top level of serverity per Cisco but not all that severe in reality, further this syslog has a bug where the threshold is not even exceeded
          %ENVMON-1-CPU_WARNING_OVERTEMP: Critical Warning: CPU temperature 107C exceeds threshold 110C.  Please resolve system cooling immediately to prevent system damage
          This one is reporting a standard condition:
          %ILPOWER-5-POWER_GRANTED: Interface Fa0/24: Power granted
          Here is an example of a 1 where the voice group says that nothing is wrong:
          Aug  4 13:08:42 rtgcaa75u01-01.sw.us.bank-dns.com 047489: Aug  4 11:08:41: %IVR-1-APP_PARALLEL_INVALID_LIST: Call terminated.  Huntgroup \'1\' does not contain enough valid SIP end-points to proceed with a parallel call.

• Syslog server for access points

  Hello,
  On the controller, when you look at an access points config. There is the syslog server for the access point with the default ip address of 255.255.255.255. I was wondering if there was any way to disable the syslog server for the access points. The only thing I've found so far is that the ip address of the syslog server can be changed.
  Thanks,

  i am not sure if "no" command works.
  but on 5.2 ver
  config logging trap disable global
  disbale/ enable is the key to set the ip address for syslog server

• Mars 6.0.7 Syslog Requirement for Enterasys Dragon NIDS 7.x

  Apparently the MARS docs are incorrect when it comes to fashioning a syslog message from a Dragon 7.x NIDS. I formatted the message as requested but MARS keeps displaying "Unknown Device Event". The Event IDs are correct but MARS does not recognize the syslog messages as coming from the Dragon. Does anyone know what the MARS parser is expecting for an Enterasys message? As I said, I used the example in the MARS 6.x Device Configuration Guide and it did not work. One of the MARS guides actually displays what is expected for a Snort message and I was hoping there was such an example for Dragon. Thanks.

  You can create a support package from the Dragon 6.x signatures provided by MARS and fashion them for 7.x. I wish I could provide the support package we created but we are not allowed to export it from the customer site. Basically here is what you do:
  1. Create your own Device Type for Dragon 7.x. You can define it as an appliance or software but we opted for "appliance".
  2. Modify your Dragon ESM to export syslog messages in the following format:
      %DATE% %TIME% SrcIP=%SIP% SrcPort=%SPORT% DstIP=%DIP% DstPort=%DPORT% Protocol=%PROTO% %NAME% %SENSOR%
  We tested this with an NMAP scan which resulted in the following syslog message as received by MARS:
  <175>alarmtool: 2010-08-11 15:12:22 SrcIP=172.16.1.1 SrcPort=0 DstIP=172.16.1.2 DstPort=0 Protocol=0 TCP-SCAN dragon-VS1
  3. Create one Device Event Type using the following parse pattern:
  Position    Key Pattern         Parsed Fld                       Value Type             Value Format                            Value Pattern
  1              alarmtool:            Device Time                   Time                         %Y-%m-%d %H:%M:%S        \d{4}-\d{1,2}-\d{1,2} \d{1,2}:\d{1,2}:\d{1,2}
  2             .+SrcIP\=             Source Address              IPV4 Dotted Quad                                                  (\d{1,3}\.){3}\d{1,3}
  3            .+SrcPort\=           Source Port                    Port Number                                                          ((0x[a-fA-F\d]{1,4})|(0\d{1,6})|([1-9]\d{0,4})|0)
  4            .+DstIP\=              Destination Address        IPV4 Dotted Quad                                                  (\d{1,3}\.){3}\d{1,3}
  5            .+DstPort\=           Destination Port              Port Number                                                          ((0x[a-fA-F\d]{1,4})|(0\d{1,6})|([1-9]\d{0,4})|0)
  6            .+Protocol\=          Protocol                         Protocol Number                                                    ((0x[a-fA-F\d]{1,2})|(0\d{1,3})|([1-9]\d{0,2})|0)
  7            .+TCP-SCAN         None                             String                                                                    ([\w-]+)\-?[\w-]{3}
  4. You can now export a support package that will give you the XML format needed for your new 7.x support package. The XML file will reside in the ZIP file created by the export process.
  5. You will now need the Device Event Numbers and Device Event IDs used by the Dragon 6.x signatures. These can be retrieved from within MARS by browsing to the Dragon 6.x NIDS Device Events. Make sure you view ALL of the Events by selecting the "10,000" rows per page option. Now right-click on this page and select "View Source". Save this to a file (Ex. Dragon6_Events.txt).
  6. You now have to extract the important data from the file created in step 5. This can be done with a few Linux grep statements and a text editor.
      a. To extract the Device Event Numbers, you can use the following grep script:
          grep '!--' Dragon6_Events.txt | grep -o -P '[0-9]{7,8}\ /?([0-9]{1,5})?' > Cisco_Dragon_Event_Numbers.txt
          NOTE: This file will be used to define the etList section of the XML file.
      b. Extract the Dragon Event IDs and numbers from the Dragon6_Events.txt file:
          grep -B2 '!--' Dragon6_Events.txt > Dragon6_Events_Stripped.txt
      c. Use grep or a text editor to remove everything from Dragon6_Events_Stripped.txt except for the Event IDs and numbers.
          When done your file should contain data in the following format:
          SPY:TOPREBATES-CONFIRM
          6503131
          ACROBAT:PDF-EXPLOIT-MALWARE
          6503132
  NOTE: If a Windows text editor was used for any of the edits you will want to run "dos2unix" against the files.
  7. Start creating your new support package XML file by:
      a. Open the "data_package.xml" file from the support package created in step 4.
      b. Copy the data up to the "etList" section and paste it into a new "data_package.xml" file.
      c. Use a bash script (see attached "create_etList.sh file) to read the Cisco_Dragon_Event_Numbers.txt file and export the data into a properly formatted "etList" section. Copy the etList section into the new "data_package.xml" file.
      d. Use another bash script (cannot attach it at this time) to read the Dragon6_Events_Stripped.txt file and export the data into a properly formatted "det id" section. Copy the new "det id" section into the new "data_package.xml" file.
      e. Finally, copy the lines after the "det id" section of the original data_package.xml file into the new XML file.
  NOTE: This process basically creates a new data_package.xml file containing approximately 4900 device events.
  8. Lastly, place the new XML file under a "dsf" directory and place it in a ZIP file. This becomes your new support package.
  We successfully imported the ZIP file as a Device Support Package. The import took a while - we went home and the next morning it was successful.
  Some items to note are:
  1. Make sure there are NO duplicates in the etList section. This can be accomplished by importing the Cisco_Dragon_Event_Numbers.txt dat into Excel and filtering out the duplicates.
  2. Make sure all of the "det id" entries have a corresponding etList entry otherwise you'll get a DSF failure when trying to import the Device Support Package.
  3. To check the validity of your XML format, load your XML file in Firefox. If there are any errors, Firefox will tell you which line contains the issue. IE did not correctly tell us where errors appeared.
  4. I will attach the second bash script when I can get around to re-typing it. It is basically the same script as the one attached except it echoes the lines needed to format the "det id" section. It also contains a switch to process the Event ID text then the Event Number.
  Good luck!
  Dave Grannas
  Senior Consultant
  Intelesys Corp.

• Best Log Setting for ASA & MARS

  Hi,
  I'm going back and trying to clean up our MARS install a little bit now that I have some time. I need to update MARS to the latest version, but right now I'm just trying to wade through some of the undefined logs coming from our ASA. Is there any guideline as what is the best log settings to use comming from the ASA for MARS? Right now it looks like everything is setup to be forwarded. Anyone have any suggestions for what they have their log settings at to capture the best amount of information, but not have to wade through everything else?
  Thanks

  Which syslogs are these specifically? We don't get any undefined events from our FWSM(s)? We get a plenty from the Netscreen (but AFAIR this is documented on CCO) that the support is not 'complete' as of yet.
  The recommended level for ASA/PIX as per the Cisco Guide and 'many' discussion on Cisco MARS User Group is 'debugging'. Under normal operation not a lot of level 7 messages are generated.
  Regards
  Farrukh

• Redirecting Syslogs from CiscoWorks to MARS

  I can see that CiscoWorks is capable of redirecting syslogs it receives to another syslog server. Though can it redirect them to MARS and will MARS be able to correlate the messages?
  Thanks in advance.
  Paul

  No, you have to do it the other way around AFAIK.
  Send all syslogs to MARS, and then have MARS forward it to LMS. The "Report Device's" IP is very important for MARS to correlate information.
  Regards
  Farrukh

• TCP Syslog output for routers and switches

  I am installing a Log Correlation Server at a Customer site whom is very heavy Cisco.
  I have a 3825 at their Border, ASA boxes on both sides of the DMZ, and 40 + cisco Switches in the Infrastructure routing between Production VLAN's.
  One of the features fo the Logging Server is the ability to accept TCP connections for Syslog.
  Does this functionality also exist on the 3825 Router? How about a 3550 switch? Or a 4500 switch?
  Thanks

  It exist on all of those product.
  www.linuxhomenetworking.com/cisco-hn/syslog-cisco.htm
  This link give a quick overview but you will find how to configure syslog in the product documentation.
  Please rate all helpful post

• Change pointer in IDOC message-type ARTMAS, for field MARA-LVORM

  Hi,
  When changing the description of a material in MM02 I am able to sent an idoc using BD21. As this relevant for a change pointer. But when field MARA-LVORM (deletion flag at client level) is chosen, I can not sent an idoc with bd21. How can I make this happen?
  thanks.

  Hi,
  Sorry I interpreted your question in wrong way. Solution I gave was for following requirement.
  Every time a material is created or changed a change pointer is created, which serves as a signal for generating IDocs to dependent systems. However, change of material type creates a change pointer that doesn't trigger an IDoc.The purpose is to create the change pointers and send the idocs. Eg. Material type field. As per your reply above I guess change pointer created for LVORM is enough to send the idocs.
  KR Jaideep,