Monday, February 26, 2007

New Custom Parser Demo available on demolabs.co.uk

There is a new CS-MARS demo available on the Satisnet Demo Website, Demolabs.co.uk


This demo is the first in a series of Custom Parser Demos

I hope to write a couple of articles on the Custom Parser very soon, but the above demo is about as basic as the custom parser gets.

We can simply fire syslog at MARS and do a keyword search on unknown events. (In fact the demo is a little smarter in that we define a custom device first, and thus we could add more similar devices, and report on them individually)


2 comments:

Anthony Holloway said...

I would have like to see the custom parser actually get used.

It's far more complex to get MARS to understand a SonicWALL Firewall vs a Supported Firewall appliance.

You basically have to create a log parser for every single type of syslog message the SW FW can produce.

Which could potentially be in the several hundreds.

Chris Durkin said...

Hi Anthony

As mentioned in the video, this is about as basic as it gets.

Parts 2&3 of the video series will go more in depth into the custom parser functionality!

This intro video into the parser, was aimed to demonstrate that for simple key events from an appliance or custom app, as long as we can syslog we can simply do keyword searches on that incoming data, and create rules based on that.