Just deployed a CS-MARS 100 and we have configured too run discovery. We configured IP addresses in "community string and networks - valid networks", then activate. We select "run discover now" and nothing seems to happen, even after 24 hours. I also have the SNARE agent installed on two Windows 2003 servers and I am not seeing any events coming from them. I am sending the logs to MARS and I enabled syslog header and sending to port 514. Any assistance would be greatly appreciated.
"We select "run discover now" and nothing seems to happen"
Did you configure the valid networks on that same screen with the "discover now" button? They are required.
"I also have the SNARE agent installed on two Windows 2003 servers and I am not seeing any events coming from them"
Did you add the devices into CSMARS prior to installing/configuring Snare? Until they are added, the events will not be properly parsed but will show up in an "unknown event report".
Yes we did. This MARS is also running OS v.4.2.5(2456). I also configured a SNMP seed device, which happens to be one of our core Cat6k switches. Yes I have added the server to MARS in "security and monitor devices". Also I do not see this event "Inactive cs mars reporting device" which I should be because I have a server configured in MARS. I have also setup WireShark and I can see packets being sent to MARS from my windows server, but no events in MARS are showing up.
A dumb question I realize but did you try rebooting the MARS box? I find a reboot the best course of action when MARS is not acting according to design.
"which happens to be one of our core Cat6k switches"
did you click "activate"? It appears to be required at least for the scheduled topology updates. I would try getting a trace of the SNMP requests on the seed device.
"Also I do not see this event "Inactive cs mars reporting device" which I should be because I have a server configured in MARS"
ugh...what a kludge that event/rule is. you are right though..you should see them if there are no events. My preferred way to test new devices is with a real-time query. also, try getting a trace on the csmars box:
Yes, we try and activate after every command. : ) And then sometimes for no reason, just because. I have run a TCPDUMP on the MARS appliance and I am seeing traffic, just not being displayed on the dashboard. I am hoping that it is because MARS is still learning about our network.
"...And then sometimes for no reason, just because"
that's funny. I've done the same.
"just not being displayed on the dashboard."
not sure what you mean by the dashboard. are the events reflected in the summary information on the left? or, are the graphs just blank?
"I am hoping that it is because MARS is still learning about our network."
neither of the above would be because of this. non-netflow events from reporting devices should immediately be reflected in at least the left pane of the summary page.
What I mean is, I do not see the event or session under "incidents". On the dashboard summary page MARS will display the most recent Incidents in the center of the window and I was not seeing anything there either. I believe I think I now understand what was happening on Monday and Tuesday. My client had the appliance up and running with devices reporting too it, then when they learned I would be able to come over and assist with the deployment they re-imaged the appliance. So there was over 150 devices reporting to MARS and it didn't know about any of them. (unknown reporting device) Now that we have run discovery and MARS is starting to understand the traffic, everything is starting to look normal.