Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
386
Views
0
Helpful
2
Replies

No Events from 3750

niall-wilkins
Level 1
Level 1

‎12-16-2008 10:57 AM

Hey guys,

I am trying to add a 3750 (IOS 12.2)sh as a reporting device in MARS but when I look at the raw data I dont see anything comming in. On the switch I have configured the following:

logging trap debugging

logging source-interface FastEthernet1/0/24

logging 192.168.233.71 <--IP of CS-MARS

On the MARS I selected IOS 12.2 and input a Device Name and reporting IP and then submitted and activated. Is their something I am missing here? I dont see any raw data events showing up.

Labels:
0 Helpful
2 Replies 2

irisrios
Level 6
Level 6

‎12-22-2008 02:57 PM

Probably the best way to view the most recent events in the past that was received by the mars is to run a query under the "query/reports" tab.

Select "edit" under "query type" and you can set a time filter. From there you can select a report and run a query to get all the latest incidents.

So the CS-MARS has the following structure:

1. The CS-MARS accepts events from various network devices (alarms, syslogs, etc).

2. These events are stringed together to create a session.

3. An incident is comprised of one or more sessions.

0 Helpful

mohsin.khan
Level 3
Level 3

‎12-22-2008 10:09 PM

I am copying the text that solved my problem.. Hope it will help you as well..

--------------------------------------------

If the device is listed under Host but not under Security and Monitor Devices then yes, that will affect your ability to receive logs from that IP.

Open a quick query. Set the type to "All matching events raw messages" then set the device to the device you are trying to view the messages for. Is the device not showing up in the "filter by reporting device" for "all reporting devices"? If it is showing up, run the report for the past couple of hours.

If it's not showing up, run another quick query. This time do it for type "Unknown Event Report" for a time range of the past couple of hours and submit it inline. Look to see if there are messages in there from that particular IP address.

Go to Management > IP Management then pull down the View drop down box and select "Host". Find the device by name or by IP address then delete it.

You should be able to then re-add it as a "Security and Monitor Device".

---------------------------------------

Also, for SNMP access, you need to have

snmp-server community RO

on your switch. I wonder if you have not enabled snmp on your device.

If the above procedure does not help you, you need to check if the snmp port (UDP port 161)to your MARS is open for the switch.

Rate if all above is helpful.

regards,

Mohsin

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents