Hi to ALL,

I have some problems with correlation Rule: Inactive reporting devices.

"System Rule: Inactive CS-MARS Reporting Device

This rule detects reporting devices that have not reported an event in the last hour. For chatty devices such as firewalls and IDS, this may indicate connectivity issues or an issue with the device themselves. This rule should be scoped down to only include chatty network infrastructure devices."

I noticed a strange behaviour of this rule:

1. When i added some group of chatty devices to this rule (Click edit Rule: Inactive reporting devices --->>> select field Devices --->>> Then add devices)

no one event triggered, even some devices had stopped to send logs to Cisco MARS (believe me this devices very chatty )

2. Then I saw some examples of configuration: when this devices was added as destination IP addresses to Rule: Inactive reporting devices and rule was triggered correctly when some problems occur with reporting devices

But during our new project we have changed schema of delivering logs and configure centralised Syslog server between Reporting devices and Cisco MARS. After that Rule: Inactive reporting devices stopped to trigger. Because all Logs have IP from centralised Syslog server (((

And built-in Cisco's rule don't work too

If anybody know how "step-by-step" to configure this correlation rule.

If anybody have experience with such problem please help.

Regards,

Nickolas