Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Report Stopped Working

I used to get the report "Activity: Spyware - Top Hosts". For the last few weeks the report shows nothing (no data). Any ideas on how to get this report populated again? I have rebooted MARS and that didn't help. Thanks

6 REPLIES

Re: Report Stopped Working

The first step would be to check if the reporting device is actually feeding this data into MARS? Have you verified that.

Regards

Farrukh

New Member

Re: Report Stopped Working

Hi Farrukh, I'm not sure what feeds this report, is there a way to tell? I have an IPS in my ASA, also have Active Directory sending reports to MARS.

Event type: Penetrate/Backdoor/Spyware/Response

Query Type: Source IPs ranked by Sessions

Time: 1d-0h

Re: Report Stopped Working

Just query MARS for this event-type. Once you get the old incidents in the Query, MARS will show you the 'Reporting Devices' name. Check this link:

https://www.cisco.com/sie/appintel/mars_incident-small-MS08-001.jpg

The reporting devices are IDSM2/4240 sensor etc,

Regards

Farrukh

New Member

Re: Report Stopped Working

Farrukh, great idea, the only problem I chose to show me the report for a month, and for a year and MARS immediately comes back without data. I know I had data from the last year in this report( probably 3 months ago). I choose "Year" then click "display report" and 1 second later it comes back blank like it didn't try to pull the data.

Re: Report Stopped Working

Can you logon to the CLI (SSH) and restart the MARS services? Usually MARS should make this large time-span query as a

'Batch Query' (and not inline), which would be delivered to your email inbox (if configured).

Regards

Farrukh

New Member

Re: Report Stopped Working

I can try this, though I did reboot MARS last week and still didn't get the report. I double checked my IPS module in my ASA to make sure it is sending alerts to MARS, it is. Thanks for all of your help!

149
Views
0
Helpful
6
Replies