Chapter 11. CS-MARS Custom Parser
What do you do when you want to collect logs from an unsupported device? Consider the following examples:
• A firewall that isn’t natively supported
• Antispam software on your mail server
• Application logs on a Windows server
The custom parser allows you to define new devices and applications for reporting to the Cisco Security Monitoring, Analysis, and Response System (CS-MARS). This process takes three or four steps, depending on what you’re hoping to accomplish:
Step 1. Define the device or application—This is a simple name, model, and version that tie the parser together.
Step 2. Create parser templates—The parser templates are instructions to MARS about how to interpret the individual log messages. ...
Get Security Monitoring with Cisco Security MARS now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.