Chapter 15 Configuring Custom Devices; Adding User Defined Log Parser Templates - Cisco CS-MARS-20-K9 - Security MARS 20 User Manual

Security mars local controller
Table of Contents

Advertisement

Configuring Custom Devices
When you define a custom device, you must define a custom device and log parser. The type of log parser
is not defined by the custom device type or the log parser templates, but when you define an instance of
the custom device type itself. When you are defining an instance of the custom device, you are required
to specify the reporting method, which is either SNMP TRAP or SYSLOG. You are prompted to select
either SYSLOG or SNMP as the device type. It is this designation that determines what kind of traffic
MARS is expecting to receive from the reporting device.

Adding User Defined Log Parser Templates

MARS allows the user to enter any SYSLOG or SNMP device into the network topology, configure it to
report data to the MARS and query the data using free-form query.
User needs to specify the incoming data format so that MARS can parse and retrieve session information
from arbitrary logs.
While the raw message for an event does include the header information, MARS removes the header
Note
prior to sending the payload to the custom parser. When writing a parser log template, do not include the
header fields.
To add a user-defined log parser template, you must perform the following tasks:
1.
2.
3.
Until each of these tasks is completed, MARS is unable to parse the logs from the reporting device, even
if it is receiving those events.
78-17020-01
Add a custom Device or Application type. See
15-2.
Add a log parser template. See
15-3.
Add device with the above custom Device or Application type. See
Application as Reporting Device, page
C H A P T E R
Define a Custom Device/Application Type, page
Add Parser Log Templates for the Custom Device/Application, page
15-13.
User Guide for Cisco Security MARS Local Controller
15
Add Custom Device or
15-1

Advertisement

Table of Contents
loading

This manual is also suitable for:

Mars 20Mars 50Mars 100Mars 200

Table of Contents