I have added just 2 4500 Cat switches to MARS, i have bootstrapped the switches according to the cisco recommendations, and i can see using "sh logging" that 1000+ messages have been logged to the MARS IP, but when i run a query in MARS with device=any/both switch, with Query type: All matchin events, i get a count=0.
Another thing to mention is that if i use device=any, i get more than 5000 events, but it says, the Reporting Device=Unknown Reporting Device, but i can see the RAW messages are being gathered from the same switches that i have configured. Please help
It seems your switch is reporting events from a 'different source IP' than the one you entered in MARS. Run a query for the raw events and see the IP address being used by the switch to report to the MARS. Also check if you entered the correct model/version.
Please use Farrukh's suggested solution and also remember that you won't see the data reduction immediately. I always counsel people to wait a few days and allow MARS to correlate events and to learn the network.
I ran a discovery, and got 4-5 routers, and 6-7 switches.. then i deleted the seed switches, and got them thru discovery, so there is no question of conflict of reporting device ip and access device ip??
Still, when run the query selecting any particular device, and query type=events ranked by time, i get 0 event.
Interestingly, if i use device=any, i get lot of events, with reporting device showing the same devies that are learned through discovery.
I am unable to know for sure, which devices are sending events and which are not.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...