The rule "Inactive CS-MARS Reporting Device "

hoffa2000 · ‎06-18-2008

Hi

I have MARS 4.3.5 and the only thing I've done to this rule is to replace the "ANY" devices with my most chatty/critical devices.

Just after lunch I realized one of these devices had been frozen for 3 hours and MARS had not fired an incident.

This doesn't seem like a very reliable rule to me. Do I have to do any additional tweaking or is the rule to be considered "non functional"?

Regards

Fredrik

dougnotini · ‎06-18-2008

Did you do a query on MARS to see whether or not events had been sent from the "frozen" device during the 3 hour time period?

Farrukh Haroon · ‎06-18-2008

Could be a bug. If you go to Query and do the following:

Query type: Event Raw Messages ranked by Time, Real Time(raw events)

And then filter the query to this specific device, do you see raw events coming in?

Regards

Farrukh

hoffa2000 · ‎06-18-2008

I did a query for the time period and no events were seen by MARS.

/Fredrik

Farrukh Haroon · ‎06-18-2008

Do you see any specific error messages in Admin >> System Maintenance >> Logs during this time period.

Regards

Farrukh

hoffa2000 · ‎06-18-2008

Logging is empty unless I use the "Last xx hours/minutes" function. Seems my MARS cannot select logs from a specific time period.

Farrukh Haroon · ‎06-18-2008

No that is normal. You have to select a time limit (default is 10 minutes I think) and hit submit.

Regards

Farrukh

mhellman · ‎06-18-2008

FWIW, I don't have any of those events in the last 24 hours and I have many devices that don't report in every hour. I would say it is broken on our 210. We use a different process to detect this problem so it doesn't effect us.

Farrukh Haroon · ‎06-18-2008

No that is normal. You have to select a time limit (default is 10 minutes I think) and hit submit.

Regards

Farrukh

mhellman · ‎06-18-2008

The events that trigger this rule are somewhat unique in that they are generated by some MARS process, and perhaps that process isn't working. You might try a query for the following event type during the last 3 hours:

"Inactive CS-MARS reporting device"

mhellman · ‎06-18-2008

I've gone back to last year and I don't see any of these events either. It may be that because they're not "normal" events received by MARS that you can't query on them and they are not archived??? Out of curiosity, does anyone have an environment where this rule actually fires? Can you do a query on the event type?

Farrukh Haroon · ‎06-18-2008

It fires on our Gen1 MARS 100 box every hour for sure (and its very annoying). Howver I am away from the customer now to actually run the query.

Regards

Farrukh

hoffa2000 · ‎06-18-2008

So the consensus is that this rule shouldn't be used to monitor critical devices? I will look at other tools to accomplish this.

/Fredrik

Farrukh Haroon · ‎06-18-2008

hoffa, what is your specific requirement, can you please explain more.

This rule just reports any devices added in MARS as 'security/monitoring' devices and have not reported any 'raw' events to MARS in the past one hour.

Regards

Farrukh

mhellman · ‎06-18-2008

I don't know about a consensus. We just happended to build our kludge for this before this kludge existed;-)

Provided it actually works of course, and if you modify the inspection rule to only include the devices that you care about and that consistently generate events, then it may very well meet your needs. In any event, IMO it is imperative that you have some way to monitor for devices that are no longer reporting into MARS that should be.