Chapter 11. CS-MARS Custom Parser
What do you do when you want to collect logs from an unsupported device? Consider the following examples:
• A firewall that isn’t natively supported
• Antispam software on your mail server
• Application logs on a Windows server
The custom parser allows you to define new devices and applications for reporting to the Cisco Security Monitoring, Analysis, and Response System (CS-MARS). This process takes three or four steps, depending on what you’re hoping to accomplish:
Step 1. Define the device or application—This is a simple name, model, and version that tie the parser together.
Step 2. Create parser templates—The parser templates are instructions to MARS about how to interpret the individual log messages. ...