Not gettign events

Unanswered Question

I have added just 2 4500 Cat switches to MARS, i have bootstrapped the switches according to the cisco recommendations, and i can see using "sh logging" that 1000+ messages have been logged to the MARS IP, but when i run a query in MARS with device=any/both switch, with Query type: All matchin events, i get a count=0.

Another thing to mention is that if i use device=any, i get more than 5000 events, but it says, the Reporting Device=Unknown Reporting Device, but i can see the RAW messages are being gathered from the same switches that i have configured. Please help

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Farrukh Haroon Wed, 07/30/2008 - 23:30
User Badges:
  • Red, 2250 points or more

Dear Mohsin

It seems your switch is reporting events from a 'different source IP' than the one you entered in MARS. Run a query for the raw events and see the IP address being used by the switch to report to the MARS. Also check if you entered the correct model/version.



pmccubbin Thu, 07/31/2008 - 04:26
User Badges:
  • Silver, 250 points or more

Hi Mohsin,

Please use Farrukh's suggested solution and also remember that you won't see the data reduction immediately. I always counsel people to wait a few days and allow MARS to correlate events and to learn the network.

Hope this helps.



Agree.. But here is a different trick now.

I ran a discovery, and got 4-5 routers, and 6-7 switches.. then i deleted the seed switches, and got them thru discovery, so there is no question of conflict of reporting device ip and access device ip??

Still, when run the query selecting any particular device, and query type=events ranked by time, i get 0 event.

Interestingly, if i use device=any, i get lot of events, with reporting device showing the same devies that are learned through discovery.

I am unable to know for sure, which devices are sending events and which are not.

Please help

Farrukh Haroon Fri, 08/01/2008 - 05:40
User Badges:
  • Red, 2250 points or more

There is a 'device IP' and a 'reporting IP', make sure that the reporting IP is set to the one you see in 'raw events'




This Discussion