Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
705
Views
0
Helpful
4
Replies

Inactive CS-MARS reporting device

laamidd2003
Level 1
Level 1

‎09-13-2006 07:09 AM - edited ‎03-10-2019 03:13 AM

Hi all,

We've added three devices to mars...trying to get familiar before populating it with everything.

Each one logs this: Inactive CS-MARS reporting device on an hourly basis.

One device is a WinXP workstation, snare agent isntalled, one is a sun server and one is a catalyst.

Any idea why we get these?

Thanks,

Bob

Labels:
0 Helpful
4 Replies 4

mhellman
Level 7
Level 7

‎09-13-2006 10:20 AM

Because the devices haven't sent any events. Have you run a query for each device to make sure the devices are reporting correctly? You also might try running the "unknown event report" query (one of the last "result format" options). Did you click "activate" after adding the devices?

0 Helpful

laamidd2003
Level 1
Level 1
In response to mhellman

‎09-13-2006 10:41 AM

The XP box and Sun box have sent events in the past, say occasionally. The catalyst has never sent anything.

When the inactive reporting device rule gets matched, and the incident shows up, the catalyst is always listed:

The following device has not reported events to MARS in 3600 seconds:

The XP box and sun box are sometimes listed. So, I guess when they're not, it's because they've sent an event within the last hour.

The incident (or rule gets fired) occurs every hour on the hour. Since the catalyst has never sent anything, this rule gets fired every hour with, at the very least, the catalyst listed under reporting devices. If the xp and sun boxes have sent something in that previous hour, then they don't get listed.

Does that sound about right?

Can I tune this as false positive and have it log to DB only?

Any advice that way? I just want to filter out anything messy. I suppose if I had netflow enabled on the catalyst, it would be sending something and this rule wouldn't fire really.

I do click activate after adding devices.

Thanks,

Bob

0 Helpful

jwalker
Level 3
Level 3
In response to laamidd2003

‎09-13-2006 06:34 PM

This same thing was happening to me. It was because my CS-MARS devices weren't generating traffic every hour. It became annoying after a while, so I created a drop rule to filter out all of the "Inactive" events. Just one way to make it go away...

0 Helpful

laamidd2003
Level 1
Level 1
In response to jwalker

‎09-14-2006 03:25 AM

Thanks guys,

I'll create a drop rule,

Bob

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card