CSA MC receives events from unkown hosts

Unanswered Question

Hi NetPros,

we are running a CSA MC (5.1) in a test environment.

At the moment I am receiving a lot of events from unkown hosts.

does anyone know, why they are unkown, and how to determine which host(s) sent these events?

we have 4 server with inactive agent - is it possible that these are the unkonwn servers?

any help appreciated

best regargs

juergen bauer

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
tsteger1 Tue, 06/05/2007 - 09:03

Hi Jurgen. Do you have host discovery enabled? What type of messages are you getting?

Tom

tsteger1 Wed, 06/06/2007 - 13:02

Let me get this straight (I can be a bit dense at times...):

Is it the source or the destination host that's unknown?

Could you also paste an alert without any identifying info?

Tom

I've seen this when a host drops out of communication with the MC. Also, after a host has been deleted, the database will propagate with these type of alerts. Basically, the alerts cannot correlate to a specific host, so that field will be filled with 'unknown.'

*EDIT* You can see that HV-BRZ-APP02 in the user field of one of the unknowns. Then, 8 days later, it produces an alert with the correct host information. I'm running 5.1.0.91 and all those problems stopped for me. I don't know if you have the ability to update your hosts, but it might be advisable.

Response from Cisco:

"This is not a bug but an annoying behaviour.

A cosmetic enhancement request has been opened to change this behaviour ( CSCse93361 ) and has been integrated in CSA 5.2."

Happens when:

- host inactive more than 30 days -> host will be deleted

- when the host reconnects it reregisters and send old events with new ID(why that?)

sounds weird and btw. none of our hosts was inactive for 30 days or longer.

anyway. check if we can upgrade the mc. the agents have to be upgraded as well? do I have to reboot all the hosts after the upgrade (I guess - can someone confirm this?)

Best regards

juergen

tsteger1 Thu, 06/14/2007 - 10:46

Hosts can unregister for various reasons (none of which I can figure out with any certainty).

They usually have corresponding events in the CSALOG.TXT files on the host and MC and they may also have errors in the Windows event log.

They will store all CSA events in CSALOG.TXT until they can find the MC again and regurgitate them.

If you do upgrade the MC:

The agents will need to be upgraded.

They don't HAVE to restart after the upgrade, but they will run the old agent until they do.

Tom

TradeSecrets Wed, 07/11/2007 - 06:12

Hi Juergen,

A CSA-MC will ignore any csa agent that was not build by that CSA-MC. So chances are you install the agent build by that csa-mc. Unless you are play with the pki encryption of the agent kit.

Actions

This Discussion