Like any Cisco device, these appliances or Catalyst 6500 Modules can produce syslog. And since these devices are not on the MARS supported Device list, a Custom Parser was needed for MARS to understand the incoming syslog, to convert to Events.
I created a few Log Parser Templates for a section of Guard Events, including system added Dynamic Filters, User Pending Dynamic Filters, Attack Started etc....
NB: To receive events about the addition and removal of dynamic filters, the trap level must be changed to informational, on the Guard/Detector.With simple String matching in the RAW syslog, with some events containing more "useful" information than others...
Once done, MARS can then interpret the incoming Syslog from an Inline Catalyst 6500 Guard in the example below.
And it can Sessionize this information where possible..
In this case, I did not define the new log templates to already defined MARS Event Types, so I created Rules, to fire Incidents.....
And more importantly a reporting back-end over time.....
Posts
No comments:
Post a Comment