Chapter 11. CS-MARS Custom Parser

What do you do when you want to collect logs from an unsupported device? Consider the following examples:

• A firewall that isn’t natively supported

• Antispam software on your mail server

• Application logs on a Windows server

The custom parser allows you to define new devices and applications for reporting to the Cisco Security Monitoring, Analysis, and Response System (CS-MARS). This process takes three or four steps, depending on what you’re hoping to accomplish:

Step 1.   Define the device or application—This is a simple name, model, and version that tie the parser together.

Step 2.   Create parser templates—The parser templates are instructions to MARS about how to interpret the individual log messages. ...

Get Security Monitoring with Cisco Security MARS now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.