69-32
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 69 Using External Monitoring, Troubleshooting, and Diagnostic Tools
Integrating CS-MARS and Security Manager
If you decide to edit a rule, click the rule number, and you are taken to the rule in the Access Rule
policy in the Security Manager client. You can then make your edits, save them, and then deploy
configurations. Remember that your changes are not made to the device until you deploy them.
For more information on configuring access rules, see Configuring Access Rules, page 16-7.
IPS Signature—Signature details are displayed in CS-MARS in a read-only window.
To edit the signature, click Edit Signature, and you are taken to the signature in the Signatures
policy, where you can make your changes. For more information, see Editing Signature Parameters
(Tuning Signatures), page 38-19.
If you decide you want to instead remove specific actions from an event, or remove the event
entirely, and prevent further processing by the sensor, click Add Filter. This opens the Add Event
Filter dialog box in Security Manager, where you can configure an event filter. For more
information, see Filter Item Dialog Box, page 39-9.
As with access rules, your changes do not take effect until you deploy the new configuration.
System Log Messages Supported for Policy Look-up
When you configure access rules on security appliances and IOS devices, you can configure logging
options in the Advanced and Edit Options Dialog Boxes, page16-15 that generate system log (syslog)
messages. On devices with multiple contexts, each security context includes its own logging
configuration and generates its own messages. If Security Manager is configured to interoperate with
CS-MARS, these messages are reported to CS-MARS and you can query for the reported information
on a per-rule basis.
For additional information about each of these message IDs, see the System Message Guide of the
relevant product documentation.
Security-appliance messages
Security-appliance syslog messages begin with a percent sign (%) and are structured as follows:
%{ASA | PIX | FWSM}-Level-Message_number: Message_text
For example:
%ASA-2-302013: Built outbound TCP connection 42210
for outside:9.1.154.12/23 (9.1.154.12/23) to inside:2.168.154.12/4402 (192.168.154.12/4402)
Note that additional information, such as date and timestamp, precedes these messages. The specific
additional information depends on the type of device.
A unique six-digit number identifies each message (302013 in the preceding example). The following
security-appliance syslog message IDs are supported for Security Manager-to-CS-MARS queries. If you
change the logging level of a security appliance, be sure these messages are generated at the new level.
Message ID Message
106023 An IP packet was denied by the access rule. This message is recorded even if logging
is not enabled for the rule; this is the Default Logging option.
106100 An IP packet was permitted or denied by the access rule. Additional information is
provided, based on the logging level defined for the rule in the Advanced and Edit
Options Dialog Boxes, page 16-15.
302013 A TCP connection between two hosts was created.