69-31
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter69 Using External Monitoring, Troubleshooting, and Diagnostic Tools
Integrating CS-MARS and Security Manager
Depending on how credentials verification is set up on your system, you might be prompted to log
into CS-MARS. For more information, see Registering CS-MARS Servers in Security Manager,
page 69-24.
All custom signatures are categorized as “Unknown Device Event Type” events in CS-MARS.
A default signature is assigned to an IPS device if you elect not to discover IPS policies when adding
the device to the Security Manager inventory, or when you remove configured IPS policies from the
device. If you try to look up events from the default signature, a “Policy not found” error message
is displayed. However, if you edit the default signature and save it, you can then query for related
events in C S-MARS.
Events of type Packet Data and Context Data are not displayed in the query results because these
events are not triggered by signature rules.
Looking Up a Security Manager Policy from a CS-MARS Event
The User Guide for Cisco Security MARS Local and Global Controllers contains detailed information
about how to look up policies based on events shown in CS-MARS. The information includes extensive
troubleshooting information to help resolve any problems you might have, plus a checklist of what you
must configure in CS-MARS to enable the interaction.
The main reason you would want to perform policy lookup is to adjust a policy based on the events that
it is generating. For example, an access rule might be dropping traffic that you actually want to allow.
Because you are looking at the event, you know there is a policy that is causing the event, so with a few
clicks, you can get from that event to the policy you need to reconfigure.
The general process for looking up a policy based on a device-generated event is as follows. Note that
the Security Manager client must be installed on your system to perform policy lookup.
Related Topics
Viewing CS-MARS Events for an Access Rule, page69-28
Viewing CS-MARS Events for an IPS Signature, page69-30
Step 1 Find the event in CS-MARS in the Query Results or Incident Details pages.
For more information on the syslog and NetFlow events you can use for querying access rules, see the
following topics:
System Log Messages Supported for Policy Look-up, page 69-32
NetFlow Event Reporting in CS-MARS, page 69-33
Step 2 Click the Security Manager icon in the Reporting Device cell for the event. You might be prompted to
log into Security Manager, based on how you configured CS-MARS.
If more than one device in Security Manager matches the event characteristics, you are prompted to
select a device.
Step 3 Detailed information is obtained from Security Manager and presented based on whether the event is for
an access rule or IPS signature:
Access rule—The access rules are displayed in CS-MARS in a read-only window with the rule that
matches the event highlighted.