Cisco MARS and Syslog Relay

A new feature introduced in Cisco MARS OS6.0 is the ability of having the appliance relay syslog messages to another server. The set of commands used to accomplish this task are shown below:

[pnadmin]$ syslogrelay
syslogrelay list [all | collector | src]
syslogrelay {setcollector | unsetcollector} IP
syslogrelay src reset
syslogrelay src {include | exclude} {ANY |IP1,...,IP10}

As shown above by using the CLI, the administrator can “set” or “unset” an auxiliary collector as well as be selective as to which source IP addresses for syslog messages get forwarded and which do not. This latter capability is specified by the include and exclude options above when used with the src argument.

While this function can be useful for those deployments where one or more secondary log servers are required (in addition to the MARS appliance), it comes at a cost. The added overhead of selectively filtering and forwarding messages can have as much as a 50% penalty on the eps (events per second) rating. An alternative to using the MARS appliance to forward messages to another collector is to have that collector forward its messages to MARS. We will examine how to accomplish this using the Kiwi Syslog Service Manager in this article.

Shown below is a screenshot of the appropriate setup options which need to be selected in order for the messages seen by Kiwi to be forwarded successfully to MARS. To get this popup to appear, the File> Setup option needed to be chosen from the Manager menu bar, and the kiwi item needed to be selected under the Rules>Default>Actions menu tree. Next, from the Action: drop-down menu, select “Forward to Another Host”.

Note above that the “Retain the original source address…” and “Spoof Network Packet” options were both checked. I found this necessary for successful operation.

The result of correct configuration of the relay function in Kiwi is seen below; first with the messages as they arrived in Kiwi:

Now, here are the messages appearing in a Cisco MARS Real-Time Query:

Author: Doug McKillip


