Retrive IP from Raw Messages

Unanswered Question
Jun 28th, 2010

Hi All,

We are monitoring a MARS which running V 6.0, recently the MARS is getting much events form the Unknown reporting IPs. I tried to get the IPs of the Unknown reporting devices in many ways, but no luck. The only way I got those IP from the Raw logs of the events, but those are quite huge. I am getting the events comprising 150 pages for just 10 minutes time frame. Is there any possibilities that I can get only the list of IPs of the unknown reporting devices, Thanks in advance for your help....

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Scott Fringer Tue, 06/29/2010 - 04:10

Unfortunately, there is not a method for listing just the IP address of the unknown reporting devices.

You should be able to run a query with a result format of "Unknown Event Report...".  Limit the device to "Unknown Reporting Device".

The resulting data will include the raw messages, which as you noted includes the unknown reporting IP as well as a button to add this device.  Clicking the "Add Device" button will open a new window with the panel for adding a new security and monitoring device.  You can then define the correct device specifics and add the device so it is correctly parsed and monitored by CS-MARS.  This will be long process based on the amount of data you indicated, but adding one or two devices a day will lower the unknown reporting device events and slowly bring it under control.

Scott

Actions

This Discussion