Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Not gettign events

I have added just 2 4500 Cat switches to MARS, i have bootstrapped the switches according to the cisco recommendations, and i can see using "sh logging" that 1000+ messages have been logged to the MARS IP, but when i run a query in MARS with device=any/both switch, with Query type: All matchin events, i get a count=0.

Another thing to mention is that if i use device=any, i get more than 5000 events, but it says, the Reporting Device=Unknown Reporting Device, but i can see the RAW messages are being gathered from the same switches that i have configured. Please help

5 REPLIES
New Member

Re: Not gettign events

Also, according to the books, the sessions are the aggregated (reduced) form of the events and hence their count should be less than the events, but on my MARS, i have Events=7,169

Sessions=7,201

Data Reduction=0%

Amazed...

Re: Not gettign events

Dear Mohsin

It seems your switch is reporting events from a 'different source IP' than the one you entered in MARS. Run a query for the raw events and see the IP address being used by the switch to report to the MARS. Also check if you entered the correct model/version.

Regards

Farrukh

Silver

Re: Not gettign events

Hi Mohsin,

Please use Farrukh's suggested solution and also remember that you won't see the data reduction immediately. I always counsel people to wait a few days and allow MARS to correlate events and to learn the network.

Hope this helps.

Best,

Paul

New Member

Re: Not gettign events

Agree.. But here is a different trick now.

I ran a discovery, and got 4-5 routers, and 6-7 switches.. then i deleted the seed switches, and got them thru discovery, so there is no question of conflict of reporting device ip and access device ip??

Still, when run the query selecting any particular device, and query type=events ranked by time, i get 0 event.

Interestingly, if i use device=any, i get lot of events, with reporting device showing the same devies that are learned through discovery.

I am unable to know for sure, which devices are sending events and which are not.

Please help

Re: Not gettign events

There is a 'device IP' and a 'reporting IP', make sure that the reporting IP is set to the one you see in 'raw events'

Regards

Farrukh

154
Views
0
Helpful
5
Replies