cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
306
Views
5
Helpful
2
Replies

CS-Mars... understaing

mohsin.khan
Level 3
Level 3

Hi, being new to the concept of correlation and deep packet inspection, i have few design related (to CS-MARS) questions.

- How isthe incident analyzed? I have only 1 incident "Inactive CS-MARS reporting device".. What does this mean, and how to go through complications in order to understand.

- I have enable netflow in a reouter, and getting it on another machine running a 3rd party netflow analyzer succesffuly. But when i redirect the netflow to MARS,(and configure the device in Netflow config, it does not seems to be acceptign the flows as it doesn not show any received netflow event. Where can i check and resolve this issue?

2 Replies 2

ivillegas
Level 6
Level 6

Error message "Inactive CS-MARS reporting device" means that the MARS has not received syslog information from the configured device within the past one hour. Configure the device in order to accept administrative sessions from MARS and also ensure that the device being monitored is configured to publish its event to MARS. On MARS , provide the administrative connection information in order to define the device being monitored.

Can you please explain a bit for me?

1- What configuration is required to do on the device to accept administrative sessions from MARS?

2- How can this be assured that the device being monitored is configured to publish its events to MARS?

3- Where to provide administrative connection information on MARS in order to define the device?

Please help as i'm new to this

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: