There is a rule in MARS which fired when any port in the switch go down and up, every day big number of incidents happening for this rule, but it dose not show me the source IP address it show only the destination IP address.
I need to know which user connect to that port.
And why the ports go up and down.
You would need to look into the switch syslog itself. If the switch syslog messages are not showing you the reason, MARS will not show you the reason. MARS will only show you whatever the switch syslog shows, so if switch syslog does not show you the reason, MARS will not know the reason.
You would need to investigate the switch.
MARS just provides a central repository for all the syslog messages, and if there is something that you need to investigate, you would need to go physically to the switch to troubleshoot as per normal. MARS will not tell you information that the switch does not provide.
ok but what you think why the switch ports go up and down like this?
because every day many incident happen fro the same rule.
What does the switch port connect to? To user's PC? if that is the case, maybe users are connecting and disconnecting the switch port / they connect in the morning when they come to the office, and disconnect the cable when they left.
Ok can I see which user is connect to that port which go up/down, I mean is it possible that I can now the user IP address ???