I have some problems with correlation Rule: Inactive reporting devices.
"System Rule: Inactive CS-MARS Reporting Device
This rule detects reporting devices that have not reported an event in the last hour. For chatty devices such as firewalls and IDS, this may indicate connectivity issues or an issue with the device themselves. This rule should be scoped down to only include chatty network infrastructure devices."
I noticed a strange behaviour of this rule:
1. When i added some group of chatty devices to this rule (Click edit Rule: Inactive reporting devices --->>> select field Devices --->>> Then add devices)
no one event triggered, even some devices had stopped to send logs to Cisco MARS (believe me this devices very chatty )
2. Then I saw some examples of configuration: when this devices was added as destination IP addresses to Rule: Inactive reporting devices and rule was triggered correctly when some problems occur with reporting devices
But during our new project we have changed schema of delivering logs and configure centralised Syslog server between Reporting devices and Cisco MARS. After that Rule: Inactive reporting devices stopped to trigger. Because all Logs have IP from centralised Syslog server (((
And built-in Cisco's rule don't work too
If anybody know how "step-by-step" to configure this correlation rule.
If anybody have experience with such problem please help.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...