06-18-2008 04:20 AM
Hi
I have MARS 4.3.5 and the only thing I've done to this rule is to replace the "ANY" devices with my most chatty/critical devices.
Just after lunch I realized one of these devices had been frozen for 3 hours and MARS had not fired an incident.
This doesn't seem like a very reliable rule to me. Do I have to do any additional tweaking or is the rule to be considered "non functional"?
Regards
Fredrik
06-18-2008 04:58 AM
Did you do a query on MARS to see whether or not events had been sent from the "frozen" device during the 3 hour time period?
06-18-2008 05:08 AM
Could be a bug. If you go to Query and do the following:
Query type: Event Raw Messages ranked by Time, Real Time(raw events)
And then filter the query to this specific device, do you see raw events coming in?
Regards
Farrukh
06-18-2008 05:42 AM
I did a query for the time period and no events were seen by MARS.
/Fredrik
06-18-2008 05:47 AM
Do you see any specific error messages in Admin >> System Maintenance >> Logs during this time period.
Regards
Farrukh
06-18-2008 05:59 AM
Logging is empty unless I use the "Last xx hours/minutes" function. Seems my MARS cannot select logs from a specific time period.
06-18-2008 06:11 AM
No that is normal. You have to select a time limit (default is 10 minutes I think) and hit submit.
Regards
Farrukh
06-18-2008 06:12 AM
FWIW, I don't have any of those events in the last 24 hours and I have many devices that don't report in every hour. I would say it is broken on our 210. We use a different process to detect this problem so it doesn't effect us.
06-18-2008 06:13 AM
No that is normal. You have to select a time limit (default is 10 minutes I think) and hit submit.
Regards
Farrukh
06-18-2008 05:54 AM
The events that trigger this rule are somewhat unique in that they are generated by some MARS process, and perhaps that process isn't working. You might try a query for the following event type during the last 3 hours:
"Inactive CS-MARS reporting device"
06-18-2008 06:25 AM
I've gone back to last year and I don't see any of these events either. It may be that because they're not "normal" events received by MARS that you can't query on them and they are not archived??? Out of curiosity, does anyone have an environment where this rule actually fires? Can you do a query on the event type?
06-18-2008 06:29 AM
It fires on our Gen1 MARS 100 box every hour for sure (and its very annoying). Howver I am away from the customer now to actually run the query.
Regards
Farrukh
06-18-2008 06:44 AM
So the consensus is that this rule shouldn't be used to monitor critical devices? I will look at other tools to accomplish this.
/Fredrik
06-18-2008 06:46 AM
hoffa, what is your specific requirement, can you please explain more.
This rule just reports any devices added in MARS as 'security/monitoring' devices and have not reported any 'raw' events to MARS in the past one hour.
Regards
Farrukh
06-18-2008 07:16 AM
I don't know about a consensus. We just happended to build our kludge for this before this kludge existed;-)
Provided it actually works of course, and if you modify the inspection rule to only include the devices that you care about and that consistently generate events, then it may very well meet your needs. In any event, IMO it is imperative that you have some way to monitor for devices that are no longer reporting into MARS that should be.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide