Report and rule returns nothing but query is working

Unanswered Question
May 22nd, 2009

Hello

I have a CS-MARS 50 box ver 6.2

when i am doing a query on raw messages for the string Configured or a query for the event: router configuration is changed everything is working fine the syslogs are displyed.

when I am trying to issue a report on that specified querry nothing appears.

I also configured a rule that should be triggered when a syslog with the string Configured is viewed or the event: router configuration is changed triggers.

This doesn't work either.

the rest of the fields are left to ANY

Any ideea what i missed?

Thanks!

Stelian

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
dragnia_s Mon, 05/25/2009 - 06:49

I gues i figured it out.

The clock was off by about 10 h between the MARS and the switch.

I don't know exactly why mars behaved this way.

Does anybody know how MARS chooses to store logs that appear to arive late?

Why where they stored (just enough for a querry, and later on dismissed for a report)

I gues the event couldn't be parsed because the field was off.

stelian

Actions

This Discussion