Getting Started - III

Integrating devices with MARS - Continued

The second method of integrating devices to MARS ie Manual integration of devices can be done as follows.
Make a list of devices which has to be added with the details such as hostname, IP address, SNMP community, Login, password and enable password in case of any Cisco Hardware devices.


Go to Admin->System Setup->Security and Monitoring Devices and click the Add option. This will take you to the page which will ask you the information about the device.

Device type drop down box will contain a list of natively supported hardware and software devices. I will explain in detail about the steps to add a hardware device and a software device with an example.


To add a hardware device such as ASA firewall for example, follow the procedure.
Select the device type from the column relevant to ASA with version.

Access IP : It is the IP address through which MARS can access the device. So, provide the IP address of the ASA firewall so that MARS can access it.

Reporting IP : It is the IP address by which MARS receives the events. ie. The IP by which ASA reports MARS.

Access Type : It is the option by which MARS access the ASA firewall.

Other option such as Login, Password, Enable Password, SNMP RO community can be provided such that MARS can access ASA.



Click the Discover option after providing all the details. If the provided details are right and if MARS can access ASA, the discovery will be successful and the device will be added to MARS.

Else there will be an option to view the error. Click the View Error option if you get any errors while discovering.

After successful integration, it can be verified by checking the list of devices available in the Security and Monitoring Devices Column in the Admin tab.

Lets take a Software device integration. For example, I will add a Windows 2003 Server and the Oracle Application present in it.

Go to Security and Monitoring Devices->Add. Select the Add SW security apps on new host option from the Device Type column.
Provide the details of the server. Here, Operating System column will be used to mention the kind of OS in that host. Clicking the Logging Info button will prompt you for the type of Windows Server and the choice of selecting the logging method. Better select the Receive option.

Apply the settings and then click Next. This action will take you to the Reporting Applications tab. Select the Oracle application which is relevant to the server. Click Add option next to it after selecting the application. It will take you to the Oracle server settings page. The oracle login credentials and service should be provided there. Test Connectivity and Submit.



By submitting the settings, the Oracle application will be added to that Reporting Application tab. Any other application can also be added in the same way. The added application can be viewed in the same tab. The settings can be modified anytime.


If you are Done with the settings the host will be added to MARS. It can be viewed in the list of monitoring devices. If you find a red coloured button at the top right column by named Activate, click that to activate all the changes made.





So, this is how you add the supported devices to MARS individually.

You may may some queries at this point of time.

Why is the Login, password and enable password required while adding hardware devices?

Mars can use this login credentials to access the device and understand the configurations of the firewall. It may use those configurations and it recommends some corrective action to be made at the time of any threat detections.

While providing the Logging method in adding a Server we select the Receive. How will Windows log events?

Windows cannot send any logs directly to MARS. There is a agent software called Snare, this software will forward the event viewer logs to MARS. Snare is recommended by Cisco Systems.


The next post will contain the third method of adding the devices.

Is this blog useful ? Your suggestions and comments are welcome.