cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
662
Views
16
Helpful
4
Replies

Inactive CS-MARS reporting device (again)

laamidd2003
Level 1
Level 1

I created a drop rule, dest and src ip's are "ANY", and the hostnames as seen in MARS. I chose to "drop" as action...not "log to db only". The event is "Inactive CS-MARS reporting device, device is "ANY", severity is "ANY", time range is "ANY" I clicked apply, submit and activate.

How come on my Summary | dashboard screen I still see these incidences. I was hoping this would stop. Is this expected behavior, or have I done something incorrectly?

Thanks,

Bob

4 Replies 4

mhellman
Level 7
Level 7

I vaguely recall reading something about not being able to use a drop rule to prevent these. You have to inactivate the rule.

JUCETA
Level 1
Level 1

I've solved that problem including "ANY" and "0.0.0.0" in the source address. CS-MARS doesn't understand that ANY must include 0.0.0.0.

Concerning to the dashboard you'll see the events for a time, and previous incidents will be saved in the incident list. Since you add "0.0.0.0" in source address, you won't see any inactive cs-mars event. The most important issue filtering that event is that it is a very high amount of events and all reports must be created using "!=Inactive CS-MARS reporting device".

As I told you, from now you won't see that event any more.

Good luck!!

ps: Please, rate the post.

Thanks Juceta,

That seems to have solved the problem, no new incidences for the last couple of hours.

Thanks,

Bob

Review Cisco Networking for a $25 gift card