How to see the traffic flowing from the integrated devices to MARS ?
In this post, I will let you know the procedures to view the traffic from the reporting devices and the terms used in MARS.
Three parameters to be understood before getting into this. They are as follows.
Events - Each and every log which comes from the reporting device is matched to some predefined values and MARS understands what the log reports and convert that into an event. Event is counted and numbered.
Sessions - Events that are correlated collectively by MARS at NAT boundaries. They are also counted and numbered. To say in detail, session will contain the full transaction of a traffic.
Incidents - Events when matched by the Rules will be triggered as an alert. Incidents can be alerted to users through e-mail, SMS etc.
Before proceeding with the MARS, we have to ensure the following
- Logging has to enabled in the reporting devices. It can be Syslog, SNMP trap, RDEP etc.
- Logs should be reachable to MARS. There should not be any blocks for that.
- If syslog is used, Informational traps can be used to have all the related logs.
This filter options will be used all through the Query, Reports, Rules etc. Let us query a reporting device for its raw messages which were retrieved for the past ten minutes.
Go to the Query/Reports tab and click Any value available in the Devices option. This will take you to the Devices page where you can select the devices from the right pane.
A list of device types will be available in the right pane. It can be used to select the specific device type and it will list the devices which comes under the type. Select the device and Click the Left arrow button and click Apply. Click the Edit option in the Query page and it will take you the option of selecting the result format. The drop down list available there will contain some result formats. For this instance, select the All Matching Event Raw Messages option.
Then select the time for which the result data should contain. Click Apply and then Click Submit Inline option. This action will query the MARS database and produces the raw messages for the past 10 minutes.
The result will contain the Event /Session ID, Event Type, Time, Reporting Device and the Raw message which was received by MARS.
In the picture shown above, the result page has an option called Path/Mitigation. By clicking that option, a graph which shows the path of the traffic will be displayed. Below that, if there are any recommendations that can be done by MARS will be displayed.
So that option will be used for the mitigation steps.
If you can see the result, each and every output will have an event ID and session ID. If you click the Session ID, it may contain some correlated events. It can be seen in the picture below. So, this makes you to understand the flow of traffic and how it is correlated here in this session.
This method can be used to view all the traffic related to any devices integrated with MARS. There are many filtering ways available. For example, if you want to search any traffic which comes from any specific source or destination IP, you can provide the filter options and can query with that.
I hope this post will be useful. Kindly write to me for your queries.
Keep reading and suggesting to enhance the blog.