07-30-2008 10:35 PM
I have added just 2 4500 Cat switches to MARS, i have bootstrapped the switches according to the cisco recommendations, and i can see using "sh logging" that 1000+ messages have been logged to the MARS IP, but when i run a query in MARS with device=any/both switch, with Query type: All matchin events, i get a count=0.
Another thing to mention is that if i use device=any, i get more than 5000 events, but it says, the Reporting Device=Unknown Reporting Device, but i can see the RAW messages are being gathered from the same switches that i have configured. Please help
07-30-2008 10:38 PM
Also, according to the books, the sessions are the aggregated (reduced) form of the events and hence their count should be less than the events, but on my MARS, i have Events=7,169
Sessions=7,201
Data Reduction=0%
Amazed...
07-30-2008 11:30 PM
Dear Mohsin
It seems your switch is reporting events from a 'different source IP' than the one you entered in MARS. Run a query for the raw events and see the IP address being used by the switch to report to the MARS. Also check if you entered the correct model/version.
Regards
Farrukh
07-31-2008 04:26 AM
Hi Mohsin,
Please use Farrukh's suggested solution and also remember that you won't see the data reduction immediately. I always counsel people to wait a few days and allow MARS to correlate events and to learn the network.
Hope this helps.
Best,
Paul
08-01-2008 05:26 AM
Agree.. But here is a different trick now.
I ran a discovery, and got 4-5 routers, and 6-7 switches.. then i deleted the seed switches, and got them thru discovery, so there is no question of conflict of reporting device ip and access device ip??
Still, when run the query selecting any particular device, and query type=events ranked by time, i get 0 event.
Interestingly, if i use device=any, i get lot of events, with reporting device showing the same devies that are learned through discovery.
I am unable to know for sure, which devices are sending events and which are not.
Please help
08-01-2008 05:40 AM
There is a 'device IP' and a 'reporting IP', make sure that the reporting IP is set to the one you see in 'raw events'
Regards
Farrukh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide