MARS 6.0 Inactive CS-MARS reporting device

atomike10 · ‎08-11-2009

We get this message with MARS but the two devices, both Cisco IDS 4.0, are both up and functioning. We are able to discover the device via MARS, but no logs will come in. We know the IDS's are logging because we can see them on the box themselves as well as sending them to another product. It just stopped during the day last week, no events were going on. Now every hour, we get this error.

I have tried rebooting the MARS, deleting and adding the devices to the MARS, and booting the IDS's themselves. Still nothing. Any help will be appreciated.

rmeans · ‎08-12-2009

It has been a while since I used IDS 4.0, so this may not be relevant. In addition I am going off of memory here. MARS 'discovery' with the IPS uses RDEP. When MARS pulls the actual data from the IDS, MARS uses SSL. It might be that your IDS SSL certificates need to be regenerated.

bnidacoc · ‎08-13-2009

IIRC how it was explained to me, these are systems which either have not sent (via syslog) or have not generated events to be pulled (SSDE). We get this a lot and devices traditionally classisfied as inactive are remote routers, access level switches, and the such due to relative absence of log worthy events. We have IPS modules which MARS picks up events and I have never seen then classified as inactive.

I am not familiar with the IDS 4.0 product, does it push to MARS or does MARS pull? Event though MARS classifies as inactive, have you performed a manual search query for events, Query type: Event Raw Messages, filtering on the devices in order to validate?