I have MARS 4.3.5 and the only thing I've done to this rule is to replace the "ANY" devices with my most chatty/critical devices.
Just after lunch I realized one of these devices had been frozen for 3 hours and MARS had not fired an incident.
This doesn't seem like a very reliable rule to me. Do I have to do any additional tweaking or is the rule to be considered "non functional"?
Did you do a query on MARS to see whether or not events had been sent from the "frozen" device during the 3 hour time period?
Could be a bug. If you go to Query and do the following:
Query type: Event Raw Messages ranked by Time, Real Time(raw events)
And then filter the query to this specific device, do you see raw events coming in?
Do you see any specific error messages in Admin >> System Maintenance >> Logs during this time period.
Logging is empty unless I use the "Last xx hours/minutes" function. Seems my MARS cannot select logs from a specific time period.
FWIW, I don't have any of those events in the last 24 hours and I have many devices that don't report in every hour. I would say it is broken on our 210. We use a different process to detect this problem so it doesn't effect us.
The events that trigger this rule are somewhat unique in that they are generated by some MARS process, and perhaps that process isn't working. You might try a query for the following event type during the last 3 hours:
"Inactive CS-MARS reporting device"
I've gone back to last year and I don't see any of these events either. It may be that because they're not "normal" events received by MARS that you can't query on them and they are not archived??? Out of curiosity, does anyone have an environment where this rule actually fires? Can you do a query on the event type?
It fires on our Gen1 MARS 100 box every hour for sure (and its very annoying). Howver I am away from the customer now to actually run the query.
So the consensus is that this rule shouldn't be used to monitor critical devices? I will look at other tools to accomplish this.
hoffa, what is your specific requirement, can you please explain more.
This rule just reports any devices added in MARS as 'security/monitoring' devices and have not reported any 'raw' events to MARS in the past one hour.
I don't know about a consensus. We just happended to build our kludge for this before this kludge existed;-)
Provided it actually works of course, and if you modify the inspection rule to only include the devices that you care about and that consistently generate events, then it may very well meet your needs. In any event, IMO it is imperative that you have some way to monitor for devices that are no longer reporting into MARS that should be.