IP exists but do not see in Devices

Unanswered Question
Oct 16th, 2008


running 6.0.1 on a MARS 50. All is good but I ran into an issue where I tried to add a device, after which it never showed up in the list. I did activate after the add. I then attempted to re-add it using the same IP but slightly different name and I got the "IP exists" message.

The 2nd device shows up but I'm not receiving anything from it.

First, how do I find this existing device in MARS if it doesn't show up in the Devices list?

2nd, could this be affecting my ability to receive logs from that IP?

thanks much.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Farrukh Haroon Sat, 10/18/2008 - 04:42

I doubt that the device 'disappeared' from the Device list. You either have to increase the viewing window (default is 25 devices per page) or MARS was simply complaining that the device was already added as an 'IP Host' Management >> IP Management . For example you are adding a proxy server as a software host in MARS, but it was already added 'dynamically' or manually. One common reason for this is during false positive tuning MARS prompts that the device (source/destination IP) should be added in order to tune false positives.

As long as you have a device with the correct IP/Type in MARS, you should be OK.



rajett Wed, 10/29/2008 - 15:33

If the device is listed under Host but not under Security and Monitor Devices then yes, that will affect your ability to receive logs from that IP.

Open a quick query. Set the type to "All matching events raw messages" then set the device to the device you are trying to view the messages for. Is the device not showing up in the "filter by reporting device" for "all reporting devices"? If it is showing up, run the report for the past couple of hours.

If it's not showing up, run another quick query. This time do it for type "Unknown Event Report" for a time range of the past couple of hours and submit it inline. Look to see if there are messages in there from that particular IP address.

Go to Management > IP Management then pull down the View drop down box and select "Host". Find the device by name or by IP address then delete it.

You should be able to then re-add it as a "Security and Monitor Device".



This Discussion