I think you have a pretty cool blog. My name is Jes I work for a Cisco Gold Partner in Australia. I am focusing on Cisco Security at the time being. I have deployed a couple of MARS deployment mainly using network device for reporting agent.
I notice you have some Windows Servers reporting to your MARS.
I am working on a current opportunity where the customer would like MARS to report on sucessfull and unsucessfull logins for Windows users.
I know that Win Eventlogs capture this. with the use of a SNARE agent can I get MARS to provide an aggregate report of this login activity.
This is an excellent question. Since I teach by example I'll show how this is done with an example. In this example we're going to take a Windows 2000 server (SP4 loaded) and have it log login failure and successes to the MARS appliance. We'll even create our own rules to trigger notification of login failures and successes. There's two techniques of getting logs onto the MARS appliance: push and pull. Here I'll be using the "pull" function, in which MARS will log into the server and poll the event log. I prefer this over placing SNARE on all servers and "pushing" the logs to MARS. This mini-tutorial make the assumption you have a base understanding of Windows server administration.
1) Configure your Windows 2000 Server to log login events:
I could sit here an explain this... but Microsoft has a brief tutorial on this. You can find it here. Below is a screenshot of my console after logging is fully enabled. If you view your Security Event Viewer now you should see login/logout events:
2) Configure CS-MARS to pull events from the Windows 2000 Server
Login to your MARS appliance and go to Admin -> Security and Monitor Devices -> Add. Now choose "Add SW security apps on new host." The screen should now look like this:
Fill in all fields and make sure to choose "Windows" Operating System. Then click the "Logging Info" button to choose your event polling options:
After this you can click "Done" and the device should be added. Make sure to "Activate" it in the upper-right hand corner.
3) As an aside you can configure how often MARS will go out and poll for events on the configured servers. This is found under Admin -> System Parameters -> Windows Event Log Pulling Time Interval. I use 60 seconds:
4) Next I like to always verify that logging is properly working.
Let it run for about 10-20 minutes (good time to go grab a coffee) and come back and pull the raw events from MARS. To do this go to Admin -> System Maintenance -> Retrieve Raw Messages. I usually like to go back 10 minutes or more. Fill out the option like below and make sure to select just your Windows 2000 server (mine's named CISCOWORKS). Then click Submit.
5) After you have verified that you see messages... now you want incidents to be created when triggered events happen. I've created an example rule that will create an incident when a user logs into the server. Here's the details on it:
Obviously you can tweak this as you must. Find the keywords in the raw messages and use those as a "Keyword" to fire off incidents.
I hope this helped explain how to get Windows Servers logging with MARS and generating rules to fire events for server logins. Though this was done to help Jesmond, anyone with any questions or that would like more example rules please let me know.