Because the devices haven't sent any events. Have you run a query for each device to make sure the devices are reporting correctly? You also might try running the "unknown event report" query (one of the last "result format" options). Did you click "activate" after adding the devices?
The XP box and Sun box have sent events in the past, say occasionally. The catalyst has never sent anything.
When the inactive reporting device rule gets matched, and the incident shows up, the catalyst is always listed:
The following device has not reported events to MARS in 3600 seconds:
The XP box and sun box are sometimes listed. So, I guess when they're not, it's because they've sent an event within the last hour.
The incident (or rule gets fired) occurs every hour on the hour. Since the catalyst has never sent anything, this rule gets fired every hour with, at the very least, the catalyst listed under reporting devices. If the xp and sun boxes have sent something in that previous hour, then they don't get listed.
Does that sound about right?
Can I tune this as false positive and have it log to DB only?
Any advice that way? I just want to filter out anything messy. I suppose if I had netflow enabled on the catalyst, it would be sending something and this rule wouldn't fire really.
This same thing was happening to me. It was because my CS-MARS devices weren't generating traffic every hour. It became annoying after a while, so I created a drop rule to filter out all of the "Inactive" events. Just one way to make it go away...
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :