The rule "Inactive CS-MARS Reporting Device "

Unanswered Question
Jun 18th, 2008
User Badges:

Hi


I have MARS 4.3.5 and the only thing I've done to this rule is to replace the "ANY" devices with my most chatty/critical devices.

Just after lunch I realized one of these devices had been frozen for 3 hours and MARS had not fired an incident.

This doesn't seem like a very reliable rule to me. Do I have to do any additional tweaking or is the rule to be considered "non functional"?


Regards

Fredrik

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
dougnotini Wed, 06/18/2008 - 04:58
User Badges:

Did you do a query on MARS to see whether or not events had been sent from the "frozen" device during the 3 hour time period?

Farrukh Haroon Wed, 06/18/2008 - 05:08
User Badges:
  • Red, 2250 points or more

Could be a bug. If you go to Query and do the following:


Query type: Event Raw Messages ranked by Time, Real Time(raw events)


And then filter the query to this specific device, do you see raw events coming in?


Regards


Farrukh

hoffa2000 Wed, 06/18/2008 - 05:42
User Badges:

I did a query for the time period and no events were seen by MARS.


/Fredrik

Farrukh Haroon Wed, 06/18/2008 - 05:47
User Badges:
  • Red, 2250 points or more

Do you see any specific error messages in Admin >> System Maintenance >> Logs during this time period.


Regards


Farrukh

hoffa2000 Wed, 06/18/2008 - 05:59
User Badges:

Logging is empty unless I use the "Last xx hours/minutes" function. Seems my MARS cannot select logs from a specific time period.

Farrukh Haroon Wed, 06/18/2008 - 06:11
User Badges:
  • Red, 2250 points or more

No that is normal. You have to select a time limit (default is 10 minutes I think) and hit submit.



Regards


Farrukh

mhellman Wed, 06/18/2008 - 06:12
User Badges:
  • Blue, 1500 points or more

FWIW, I don't have any of those events in the last 24 hours and I have many devices that don't report in every hour. I would say it is broken on our 210. We use a different process to detect this problem so it doesn't effect us.

Farrukh Haroon Wed, 06/18/2008 - 06:13
User Badges:
  • Red, 2250 points or more

No that is normal. You have to select a time limit (default is 10 minutes I think) and hit submit.



Regards


Farrukh

mhellman Wed, 06/18/2008 - 05:54
User Badges:
  • Blue, 1500 points or more

The events that trigger this rule are somewhat unique in that they are generated by some MARS process, and perhaps that process isn't working. You might try a query for the following event type during the last 3 hours:


"Inactive CS-MARS reporting device"

mhellman Wed, 06/18/2008 - 06:25
User Badges:
  • Blue, 1500 points or more

I've gone back to last year and I don't see any of these events either. It may be that because they're not "normal" events received by MARS that you can't query on them and they are not archived??? Out of curiosity, does anyone have an environment where this rule actually fires? Can you do a query on the event type?

Farrukh Haroon Wed, 06/18/2008 - 06:29
User Badges:
  • Red, 2250 points or more

It fires on our Gen1 MARS 100 box every hour for sure (and its very annoying). Howver I am away from the customer now to actually run the query.


Regards


Farrukh

hoffa2000 Wed, 06/18/2008 - 06:44
User Badges:

So the consensus is that this rule shouldn't be used to monitor critical devices? I will look at other tools to accomplish this.


/Fredrik

Farrukh Haroon Wed, 06/18/2008 - 06:46
User Badges:
  • Red, 2250 points or more

hoffa, what is your specific requirement, can you please explain more.


This rule just reports any devices added in MARS as 'security/monitoring' devices and have not reported any 'raw' events to MARS in the past one hour.


Regards


Farrukh

mhellman Wed, 06/18/2008 - 07:16
User Badges:
  • Blue, 1500 points or more

I don't know about a consensus. We just happended to build our kludge for this before this kludge existed;-)


Provided it actually works of course, and if you modify the inspection rule to only include the devices that you care about and that consistently generate events, then it may very well meet your needs. In any event, IMO it is imperative that you have some way to monitor for devices that are no longer reporting into MARS that should be.

Actions

This Discussion