"Inactive CS-MARS Reporting Device" Take 2

srdroppers · ‎07-07-2008

We have a number of devices that are quite "quiet" under normal conditions in our network -- rarely reporting activity to the CS-MARS device. This is normal for these devices.

I see this in both Cisco IPS v6 sensors and Cisco IOS switches with SNMP RO credentials reporting via syslog.

1) Are there configurations or techniques that these devices will generate a "timestamp" message every 30 or minutes?

2) Is there a way to change the CS-MARS "Inactive CS-MARS reporting device" (1000021) so it only triggers if the device has not sent a message in 24 hours rather than 1 hour?

ben.gordon · ‎07-07-2008

I ran into the same problem. To overcome the issue, I monitored the devices for about a week by logging in and checking the logs manually. Once I was sure they were reporting correctly, just very rarely, I created a false positive drop rule and added all the other devices that applied.

1) I haven't heard of anything like that. But you could have a script or monitoring software log into a device every 45 minutes, enough to cause the device to create a log entry. You could use something like Rancid to login and go to configuration mode, back out, then save the current running config. That should produce a log and keep tabs on your running configs, compare to previous configs if needed.

2) I have looked several times to see if I can change when that rule fires without any success. There may be a way to modify the system scheduler through the command line. I would think that same service runs the scheduled reports. But I'm just speculating and don't recommend messing with system parameters.