Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
512
Views
0
Helpful
5
Replies

Not gettign events

mohsin.khan
Level 3
Level 3

‎07-30-2008 10:35 PM

I have added just 2 4500 Cat switches to MARS, i have bootstrapped the switches according to the cisco recommendations, and i can see using "sh logging" that 1000+ messages have been logged to the MARS IP, but when i run a query in MARS with device=any/both switch, with Query type: All matchin events, i get a count=0.

Another thing to mention is that if i use device=any, i get more than 5000 events, but it says, the Reporting Device=Unknown Reporting Device, but i can see the RAW messages are being gathered from the same switches that i have configured. Please help

Labels:
0 Helpful
5 Replies 5

mohsin.khan
Level 3
Level 3

‎07-30-2008 10:38 PM

Also, according to the books, the sessions are the aggregated (reduced) form of the events and hence their count should be less than the events, but on my MARS, i have Events=7,169

Sessions=7,201

Data Reduction=0%

Amazed...

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to mohsin.khan

‎07-30-2008 11:30 PM

Dear Mohsin

It seems your switch is reporting events from a 'different source IP' than the one you entered in MARS. Run a query for the raw events and see the IP address being used by the switch to report to the MARS. Also check if you entered the correct model/version.

Regards

Farrukh

0 Helpful

pmccubbin
Level 5
Level 5
In response to Farrukh Haroon

‎07-31-2008 04:26 AM

Hi Mohsin,

Please use Farrukh's suggested solution and also remember that you won't see the data reduction immediately. I always counsel people to wait a few days and allow MARS to correlate events and to learn the network.

Hope this helps.

Best,

Paul

0 Helpful

mohsin.khan
Level 3
Level 3
In response to pmccubbin

‎08-01-2008 05:26 AM

Agree.. But here is a different trick now.

I ran a discovery, and got 4-5 routers, and 6-7 switches.. then i deleted the seed switches, and got them thru discovery, so there is no question of conflict of reporting device ip and access device ip??

Still, when run the query selecting any particular device, and query type=events ranked by time, i get 0 event.

Interestingly, if i use device=any, i get lot of events, with reporting device showing the same devies that are learned through discovery.

I am unable to know for sure, which devices are sending events and which are not.

Please help

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to mohsin.khan

‎08-01-2008 05:40 AM

There is a 'device IP' and a 'reporting IP', make sure that the reporting IP is set to the one you see in 'raw events'

Regards

Farrukh

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents