Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
706
Views
0
Helpful
6
Replies

Report Stopped Working

PaulWelc
Level 1
Level 1

‎03-06-2009 02:27 PM

I used to get the report "Activity: Spyware - Top Hosts". For the last few weeks the report shows nothing (no data). Any ideas on how to get this report populated again? I have rebooted MARS and that didn't help. Thanks

Labels:
0 Helpful
6 Replies 6

Farrukh Haroon
VIP Alumni
VIP Alumni

‎03-06-2009 11:07 PM

The first step would be to check if the reporting device is actually feeding this data into MARS? Have you verified that.

Regards

Farrukh

0 Helpful

PaulWelc
Level 1
Level 1
In response to Farrukh Haroon

‎03-09-2009 08:39 AM

Hi Farrukh, I'm not sure what feeds this report, is there a way to tell? I have an IPS in my ASA, also have Active Directory sending reports to MARS.

Event type: Penetrate/Backdoor/Spyware/Response

Query Type: Source IPs ranked by Sessions

Time: 1d-0h

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to PaulWelc

‎03-09-2009 10:50 PM

Just query MARS for this event-type. Once you get the old incidents in the Query, MARS will show you the 'Reporting Devices' name. Check this link:

https://www.cisco.com/sie/appintel/mars_incident-small-MS08-001.jpg

The reporting devices are IDSM2/4240 sensor etc,

Regards

Farrukh

0 Helpful

PaulWelc
Level 1
Level 1
In response to Farrukh Haroon

‎03-10-2009 06:44 AM

Farrukh, great idea, the only problem I chose to show me the report for a month, and for a year and MARS immediately comes back without data. I know I had data from the last year in this report( probably 3 months ago). I choose "Year" then click "display report" and 1 second later it comes back blank like it didn't try to pull the data.

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to PaulWelc

‎03-10-2009 06:50 AM

Can you logon to the CLI (SSH) and restart the MARS services? Usually MARS should make this large time-span query as a

'Batch Query' (and not inline), which would be delivered to your email inbox (if configured).

Regards

Farrukh

0 Helpful

PaulWelc
Level 1
Level 1
In response to Farrukh Haroon

‎03-10-2009 06:53 AM

I can try this, though I did reboot MARS last week and still didn't get the report. I double checked my IPS module in my ASA to make sure it is sending alerts to MARS, it is. Thanks for all of your help!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents