cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
570
Views
10
Helpful
8
Replies

CSA MC receives events from unkown hosts

juergen.bauer
Level 1
Level 1

Hi NetPros,

we are running a CSA MC (5.1) in a test environment.

At the moment I am receiving a lot of events from unkown hosts.

does anyone know, why they are unkown, and how to determine which host(s) sent these events?

we have 4 server with inactive agent - is it possible that these are the unkonwn servers?

any help appreciated

best regargs

juergen bauer

8 Replies 8

tsteger1
Level 8
Level 8

Hi Jurgen. Do you have host discovery enabled? What type of messages are you getting?

Tom

i'm not sure if host discovery is enabled. will check that next week.

and for the events: we receive all kinds of events: same event - some with valid host - some with host unknown?!

thanks

juergen

Let me get this straight (I can be a bit dense at times...):

Is it the source or the destination host that's unknown?

Could you also paste an alert without any identifying info?

Tom

source is unknown. attached screenshot.

thanks and best regards

juergen

I've seen this when a host drops out of communication with the MC. Also, after a host has been deleted, the database will propagate with these type of alerts. Basically, the alerts cannot correlate to a specific host, so that field will be filled with 'unknown.'

*EDIT* You can see that HV-BRZ-APP02 in the user field of one of the unknowns. Then, 8 days later, it produces an alert with the correct host information. I'm running 5.1.0.91 and all those problems stopped for me. I don't know if you have the ability to update your hosts, but it might be advisable.

Response from Cisco:

"This is not a bug but an annoying behaviour.

A cosmetic enhancement request has been opened to change this behaviour ( CSCse93361 ) and has been integrated in CSA 5.2."

Happens when:

- host inactive more than 30 days -> host will be deleted

- when the host reconnects it reregisters and send old events with new ID(why that?)

sounds weird and btw. none of our hosts was inactive for 30 days or longer.

anyway. check if we can upgrade the mc. the agents have to be upgraded as well? do I have to reboot all the hosts after the upgrade (I guess - can someone confirm this?)

Best regards

juergen

Hosts can unregister for various reasons (none of which I can figure out with any certainty).

They usually have corresponding events in the CSALOG.TXT files on the host and MC and they may also have errors in the Windows event log.

They will store all CSA events in CSALOG.TXT until they can find the MC again and regurgitate them.

If you do upgrade the MC:

The agents will need to be upgraded.

They don't HAVE to restart after the upgrade, but they will run the old agent until they do.

Tom

TradeSecrets
Level 1
Level 1

Hi Juergen,

A CSA-MC will ignore any csa agent that was not build by that CSA-MC. So chances are you install the agent build by that csa-mc. Unless you are play with the pki encryption of the agent kit.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: