I have been implimenting a CS-MARS 50 and have it upgraded to 4.2.5. After the upgrade I started receiving the following error:
Inactive CS-MARS reporting device
When I pull up the incident, it lists 100 devices, about 25% of the devices I have configured on the MARS.
Any ideas as to what would case such a large drop in data?
That report only shows reporting devices for which MARS has not received an event from in the last hour. Are you saying you were seeing events more frequently from these reporting devices before the upgrade?
Before the upgrade I wasn't seeing any of the mesages, I was noting "Dips" in the data.
After the upgrade (3.4.3 - 4.2.6) I stated getting more accurate and relevant data from the MARS.
We found the cause of the issue and I'm embarassed to say it was a layer 1 issue. The cable had become lose and was losing connection. Later in the day on Friday, it finally lost connection all together.
After fixing the cable it seems to be holding all weekend.
So, you were seeing events from these 100 devices before the upgrade? I believe that rule was added during your upgrade process, so this rule would not have been firing even if all 100 of these devices were not working prior to upgrading.
The odd part is I have connectivity to the devices and to the MARS during the event. There is not reason to not have the information comming in. Several of the devices are connected to the same switch the MARS is on.
Generally speaking, the way I troubleshoot these issues is to connect to the device and verify that there are actually events being generated. Then, SSH into MARS and use tcpdump to verify that they are being sent. If all that checks out, I then run a real-time query for that device.
absolutely, it depends on the device and even the configuration. A well tuned intrusion detection sensor, for example, may not alarm every hour. Another example is devices on backup links. That being said, most active devices will have events more frequently.
The same thing happened to me back when we first implemented MARS (v3.4). Chatty devices don't produce these alarms for me (like IPSs, Firewalls, etc) almost ever, so I decided to disable the Inactive Rule and clone it three times. Then I changed the Device in each rule to firewalls, IPSs and routers respectively. So now I have three rules to look for Inactive devices that I really care about. My switches never produce any events, so I was getting this alarm repeatedly from them. Now I just ignore stuff from the switches, CSA agents, etc. Not sure if this will work for you, but ...
** please rate if this helps*