CiscoWorks VMS Event Viewer usage compared with MARS

I've been using VMS Security Monitor Event Viewer to monitor IPS sensors for the past few years. I'm used to the workflow of reviewing events in Event Viewer and then resolving them and sometimes removing them from the grid.
I'm beginning to use MARS and I'd like to know what the equivalent of resolving and removing from grid in MARS is or is this something you don't do in MARS and you work differently with the events in MARS?
Thanks in advance

The actual replacement for the IDS Event Viewer is the IPS Manager Express (IME) and not MARS. If you are looking for real-time monitoring and filtering of events for upto 5 sensors, then IME is the way to go. MARS is more of a SIM/SEM tool that collects logs from 'various' devices and 'correlates' those events into meaningful 'incidents'. It does the same for IPS devices. But you won't see 'every' event in the MARS Incidents page (as every event is not an incident). You have to run a query for that (Historical or real-time).
Regards
Farrukh

Similar Messages

  • Setting Graph View Usage dynamically

    Hello all,
    I have a Graph Table with 2 graphs (Pie and Bar) and I'm trying to set their View Usage dynamically with the code below but it's not working. There is no error message, it just simply doesn't return anything. We need to set it dynamically because we have different levels and VO's to the same graph page.
    Is there anything else that should be done?
    OAGraphTableBean graphTable = (OAGraphTableBean)webBean;
    if(graphTable != null) {
    graphTable.setViewUsageName("OperationHdrGraphVO1");
    Thanks and Regards,
    Eduardo

    Hi Sumit,
    It worked creating the graph programmatically using the code below.
    Thanks for your help.
    Eduardo
    Vector graphs = new Vector();
    OAGraphTableBean graphTable = (OAGraphTableBean)webBean;
         Dictionary graphBarDetails = new ArrayMap(10);
    graphBarDetails.put("AGRFUNCTION", "none");
    graphBarDetails.put("GRAPHTYPE", "vertical clustered bar");
    graphBarDetails.put("GRAPHTITLE", "Cost Bar Graph");
    graphBarDetails.put("YAXISLABEL", "Allocation Amount");
    graphBarDetails.put("GRAPHSIZE", "medium");
    graphBarDetails.put("CUSTGRAPHWIDTH", "");
    graphBarDetails.put("CUSTGRAPHHEIGHT", "");
    graphBarDetails.put("DISPLAYTOOLTIP", BooleanUtils.getBoolean(true));
    graphBarDetails.put("XAXISLABEL", "");
    graphBarDetails.put("DRILLDOWNURL", "");
    graphBarDetails.put(DISPLAYED, BooleanUtils.getBoolean(true));
    Vector graphCols = new Vector();
    for(int j=0; j<2; j++) {
    Dictionary graphData = new ArrayMap(5);
    graphData.put("VIEWUSAGENAME", pViewUsage);
    if(j ==0) {
    graphData.put("VIEWATTRIBUTENAME", "AllocatedAmount");
    graphData.put("GRAPHDATASTYLE", "data");
    graphData.put("GRAPHDATAPROMPT", "Allocation Amount");
    else {
    graphData.put("VIEWATTRIBUTENAME", "AllocName");
    graphData.put("GRAPHDATASTYLE", "groupLabels");
    graphData.put("GRAPHDATAPROMPT","");
    graphData.put("GRAPHSTOCKVALUE","none");
    graphCols.addElement(graphData);
    graphBarDetails.put("GRAPHDATACOLS", graphCols);
    graphs.addElement(graphBarDetails);
    graphTable.setGraphDetails(graphs);

  • Create an Event log entry in Event Viewer in Windows 7, when processor exceeds a set percentage of usage

    Hi, I am trying to create an Event log entry in Event viewer in Windows 7 when the processor exceeds a set percentage of usage. I have unsuccessfully tried doing this through a Data Collection Set in the User Defined folder to monitor CPU usage
    and to trigger an Alert and log an entry when the CPU exceeds a set percentage of usage.  Any suggestions, and please if possible keep them simple and easy to follow, I am not to familar with Windows 7.  

    Hi, I am trying to create an Event log entry in Event viewer in Windows 7 when the processor exceeds a set percentage of usage. I have unsuccessfully tried doing this through a Data Collection Set in the User Defined folder to monitor CPU usage
    and to trigger an Alert and log an entry when the CPU exceeds a set percentage of usage.  Any suggestions, and please if possible keep them simple and easy to follow, I am not to familar with Windows 7.  

  • Unable to refresh the schema of FIM MA.Getting an error in Event viewer ""the current version of database is not compatible with the one expected by Forefront Identity Manager service. The current version of database is : 1116. The expected version is :1"

    Hi,
    We have installed FIM MA with an account that have all the sufficient rights.It got created successfully and worked for Full Import and Full Sync. But, due to some version incompatabilities, we have installed a patch.PFB link for the patch.
    http://support.microsoft.com/en-us/kb/2969673/en-us
    Now, we are trying to refresh the schema of FIM MA. While doing that we are facing an error "Failed to connect to database". The user account with which we are connecting has read and write permissions on DB.In the event viewer some errors are
    logged like  "the current version of database is not compatible with the one expected by Forefront Identity Manager service. The current version of database is : 1116. The expected version is :1122" with event ID 3. PFB images for more detailed
    view.
    Please advice how to fix the issue.
    Thanks
    Prasanthi.

    Hello,
    seems to me that you maybe only updated the syncengine but not portal/webservice.
    I had that error once after an recovery from scratch and forgot one of the hotfixes to apply to all services.
    -Peter
    Peter Stapf - ExpertCircle GmbH - My blog:
    JustIDM.wordpress.com

  • Event Viewer reporting continuous problem with Firefox

    I had to disable McAfee Site Advisor because if enabled I could not use the back and forth arrows on the browser in some instances. In trying to track this problem down I discovered there is a continuous problem reported in Event Viewer with this information:
    The entry <C:\USERS\CINDY\APPDATA\LOCAL\MOZILLA\FIREFOX\PROFILES\PV0GC0WS.DEFAULT\CACHE\_CACHE_003_> in the hash map cannot be updated.
    Context: Application, SystemIndex Catalog
    Details:
    A device attached to the system is not functioning. (0x8007001f)
    Can anyone please help with this?

    The error could be something trivial, it will depend really on what problems you are having, and I note you have made a few other posts.
    * One article you may find useful is [[Basic troubleshooting]]
    * Also see [[Safe Mode]] & [[Troubleshooting extensions and themes]]
    ** Note when using safe mode normally do not make changes in the first dialogue Window you see just click on the continue button (Unless you really do want to reset something)
    ** Also note whilst Safe Mode does disable plugins, it will not always stop all external software interacting with firefox .
    A basic principle of troubleshooting is to reduce as many unknown interactions as possible, so in the case of Firefox disabling or removing as many extras as possible.
    If you are determined to check what is in the firefox caches then use ''about.cache'' simply type it into the location bar and hit return, it is relatively user friendly and shows masses of info about what is cached, there is also an [https://addons.mozilla.org/en-us/firefox/addon/cacheviewer/ add-on cacheviewer] Even without the add-on you may be able to figure out what the item is, and whether or not it is updating.
    I do not even use Vista, but presumably an event log entry may not necessarily relate directly to Firefox use.
    ''"in the hash map cannot be updated.
    Context: Application, SystemIndex Catalog "''
    I would hazard a guess that the above message may relate to disk indexing; if so it will possibly have nil impact upon Firefox operation.
    I do recall problems being mentioned on this forum about Site Advisor and Firefox, and note some versions are on the [https://www.mozilla.com/en-US/blocklist/ blocklist] for Firefox 4. If you have problems with SiteAdvisor it would be worth ensuring you have the very latest compatible release of Site Advisor.

  • Error in Event Viewer everytime a email is sent with a attactmant

    Hi All,
    I'm having a problem with my exchange server every time a email gets sent with a attachment under the size of 20MB it bounces back and when it bounces back I get this in the event viewer,
    Cmdlet failed. Cmdlet Get-User, parameters {Identity=NT AUTHORITY\SYSTEM}.
    I've checked all the setting and they are as they was set up in the first place nothing has changed.
    Hope you get back soon
    Regards
    Matthew Carney
    Regards Matthew Carney

    Hi Belinda,
    these are emails going outbound, this is the error we get when the email gets bounced back to us -
    mx.google.com rejected your message to the following e-mail addresses:
    *the email address*
    mx.google.com gave this error: This message was blocked because its content presents a potential security issue. Please visit
    http://support.google.com/mail/bin/answe r.py?answer=6590 to review our message content and attachment content guidelines. iy12si4764635wic.81 - gsmtp
    Your message wasn't delivered because the recipient's e-mail provider rejected it.
    Diagnostic information for administrators:
    Generating server: ADMINSERVER.adminserv.local
    mx.google.com #552-5.7.0 This message was blocked because its content presents a potential 552-5.7.0 security issue. Please visit
    http://support.google.com/mail/bin/answe 552-5.7.0 r.py?answer=6590 to review our message content and attachment content 552 5.7.0 guidelines. iy12si4764635wic.81 - gsmtp ##
    I am the network admin and the IT manager, this has confused me a bit because all the settings are as they were when I set it up and its only been like this that past month, the logs are full up with errors for this problem.
    We can sent attachments internal fine and the fine i tried to sent in the email above was 15MB
    Its not just google that we get bounced on its every email going outbound.
    Regards Matthew Carney

  • Essential event viewer bugs with "Forwarded Events" log in Windows Server 2008 R2 and Windows 7

    To my general experience, Windows event viewer is one of the most problematic, faulty management tools in the case of extensive use of its more sophisticated capabilities. The sole description as well as reproduction of some entangled failures would require
    remarkable effort.
    With the "Forwarded Events" log however, the situation becomes particularly worse in that even simple functionality fails and workarounds are difficult to find. That’s what I’ll describe here in order to share my experience with interested users.
    For precision: I’ve extensively used event viewer on a German Windows Server 2008 R2 SP1 (Windows SBS 2011 Standard SP1). The bugs I found on that system, I could reproduce on a German Windows 7 Professional 64-Bit SP1, too.
    Problem 1: Failure of even simple event filtering
    To reproduce this problem, execute these steps on a test machine with any of the two OS mentioned above:
    (i) To prepare log contents, do either of the following:
    (a) populate some events to your local "Forwarded Events" log (most simply by subscribing events from other logs of the same machine; stop subscription if you have collected some events)
    Or
    (b) copy a non-empty log file "ForwardedEvents.evtx" from another machine (with any of the two OS mentioned above) to your test machine and open the file in event viewer.
    (ii) Navigate to your "Forwarded Events" test log and open the filtering dialog. In the "Includes/Excludes Event IDs" field, type: 1-9000. Click OK.
    (iii) Look at the results pane: Surprise, 0 Events! Do you really have no event IDs between 1 and 9000 in your test log?
    (iv) Another example, if you have forwarded security events in your test log: Clear filter, if any previous filter is in place. Open the filtering dialog. In "Keywords" sub-dialog, choose "Audit Success". Click OK.
    (v) Look at the results pane: Surprise, 0 Events! Do you really have no successful security monitoring events in your test log?
    I’ll finish here. If you have a rich variety of events in your test log available, let your imagination run wild to test around. Finally include some simple manually created or modified XPath filters on the XML tab of the filtering dialog. I promise, you’ll
    find a lot of additional strange results.
    Problem 2: Cannot save manually selected events to .evtx file
    Navigate to your "Forwarded Events" test log. In the results pane, select one or more events by highlighting them by mouse clicks. In context menu, choose "Save selected events". In the "save as" dialog, choose file type *.evtx
    and save your file. Open the newly created file in event viewer. Result: Surprise, no events inside the new file!
    Have more fun with forwarded events
    Helmut

    Did you mean that right click Forwarded Event and select "Filter Current Log..."? Since I can filter correct event vai the "Filter Current Log..." in my Lab environment.
    Hi Justin,
    yes, I mean "Filter Current Log ... " (in my German systems: "Aktuelles Protokoll filtern ... ").
    What do you mean with "my Lab environment" exactly?
    In the meantime, I performed additional tests. I copied the "ForwardedEvents.evtx" test file from Server 2008 R2 resp. Windows 7 to
    (i) German Windows 8 Pro 64-Bit RTM
    (ii) German Windows 8.1 Pro 64-Bit, up-to-date
    in order to view and filter the file there.
    Results: Same event viewer problem on Windows 8 RTM, but correct behavior on Windows 8.1!
    Best regards, Helmut

  • User locks with out any log in event viewer

    Hi,
    In our active directory environment, Domain user gets locked out with out any event saved in event viewer as i am not able to see why these users gets locked.
    Any help?

    Hi,
    Additionally information for you:
    Tracing Account Lockout Source
    https://social.technet.microsoft.com/Forums/windowsserver/en-US/50512220-aeb2-4eb2-b467-2b9ad9a5b2db/tracing-account-lockout-source
    Regards.
    Vivian Wang

  • Update Problems with Adobe, Win 7, 64 bit, Event Viewer confused

    When I looked into the Event viewer, I noticed that their seem to be problems with AAM.  I only have Adobe Elements, Acrobat Reader, Adobe Flash Player, Adobe Air, etc.  AAM does not list any of the products I have, but a lot of stuff, that is far too advanced for me.  I am wondering, what to do about it.  Helga P.S.  I had to pick one of the Forums.

    Is there a task that you are unable to do?
    The Adobe Application Manager is a part of CS5 and CS6.  My copy of it also lists several packages I don't have installed with a [Try] button to the side.
    Perhaps re-installing with the latest would help?
    http://www.adobe.com/support/downloads/detail.jsp?ftpID=4773
    Roy

  • No sound, explorer.exe not starting, no event viewer

    I set up a new PC recently and installed Windows 7 Pro. Approximately once every few days I get a problem which, oddly, has several seemingly different manifestations. I mean that if I see one of these, all the others can be observed as well, until I reboot.
    These manifestations are:
    Windows Media Player will not play an audio file (.wav, .mp3), usually just hanging. VLC player will not hang but will not produce sound either. Video content is played OK though.
    Explorer (if started by left clicking on the toolbar button) will bring up the message “Invalid signature” and won’t start. If started by right clicking and then selecting one of the folders in the “last used” list it will start OK though.
    Computer – Manage will dim screen and display a UAC message (normally it would start straight away). After getting through this message, the “Computer Management” window will duly pop up, but it will be missing the Event Viewer item in the left panel.
    I could find nothing suspicious in the event logs.

    I'm adding another image: Task Manager:
    I thought it's worthwhile because total CPU usage shows 12% (and it stayed for a while around that value), but each individual process was consuming 0%.
    There were a few error messages in Application and System logs but I think I saw them quite often, so they were not specific for this occasion. They are:
    WMI error:
    Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events
    cannot be delivered through this filter until the problem is corrected.
    User Profile Service warning:
    Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.  
     DETAIL - 
     10 user registry handles leaked from \Registry\User\S-1-5-21-1620775572-3903616698-3239891420-1000:
    Process 880 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1620775572-3903616698-3239891420-1000
    Process 880 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1620775572-3903616698-3239891420-1000
    Process 2060 (\Device\HarddiskVolume2\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe) has opened key \REGISTRY\USER\S-1-5-21-1620775572-3903616698-3239891420-1000\Software\Ahead\Nero Home\MediaLibrary\Scanner
    Process 2060 (\Device\HarddiskVolume2\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe) has opened key \REGISTRY\USER\S-1-5-21-1620775572-3903616698-3239891420-1000\Software\Ahead\Nero Home\MediaLibrary\Scanner
    Process 2060 (\Device\HarddiskVolume2\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe) has opened key \REGISTRY\USER\S-1-5-21-1620775572-3903616698-3239891420-1000\Software\Ahead\Nero Home\MediaLibrary
    Process 2060 (\Device\HarddiskVolume2\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe) has opened key \REGISTRY\USER\S-1-5-21-1620775572-3903616698-3239891420-1000\Software\Ahead\Nero Home\MediaLibrary
    Process 2060 (\Device\HarddiskVolume2\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe) has opened key \REGISTRY\USER\S-1-5-21-1620775572-3903616698-3239891420-1000\Software\Ahead\Nero Home\MediaLibrary
    Process 880 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1620775572-3903616698-3239891420-1000\Software\Microsoft\SystemCertificates\My
    Process 880 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1620775572-3903616698-3239891420-1000\Software\Microsoft\SystemCertificates\CA
    Process 880 (\Device\HarddiskVolume2\Windows\System32\lsass.exe) has opened key \REGISTRY\USER\S-1-5-21-1620775572-3903616698-3239891420-1000\Software\Microsoft\SystemCertificates\Disallowed
    Search error:
    Unable to initialize the filter host process. Terminating.
    Details:
    This operation returned because the timeout period expired.  (HRESULT : 0x800705b4) (0x800705b4)
    Distributed COM error:
    The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID 
    {C97FCC79-E628-407D-AE68-A06AD6D8B4D1}
     and APPID 
    {344ED43D-D086-4961-86A6-1106F4ACAD9B}
     to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
    Service Control Manager error:
    A timeout was reached (30000 milliseconds) while waiting for the Optimizer Pro Crash Monitor service to connect.
    Service Control Manager error:
    The Windows Modules Installer service terminated with the following error: 
    The handle is invalid.

  • Cisco Works Integration with MARS

    Can cisco works be integrated with MARS. I mean cisco works is acting as a syslog server for some switches. Can mars pull the records from Cisco Works and use it for its co-relation

    As Michael pointed out, configuring two syslog destinations on your switch is possible, and allows the switch to send to both CiscoWorks and CS-MARS simultaneously.  This affords the safety that should one system be down, the other system will continue to receive syslog events from the switches.  Should you not wish to configure two logging destinations on your switch, you could configure your switches to send their syslogs to CS-MARS and configure CS-MARS to relay the received syslog messages to CiscoWorks.  This options is outlined in the CS-MARS user guide:
    http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/user/guide/combo/cfgOver.html#wpmkr181270
    Scott

  • Missing Event Viewer VM Manager Log after ugrade from SCVMM 2012 SP1 to R2

    We recently upgraded from SCVMM 2012 SP1 to SCVMM 2012 R2. After the upgrade, I noticed that the VM Manager log, in the Event Viewer, is missing. I've tried to peruse all of the logs to see if it has been moved/renamed, with no luck. I highly doubt an important
    log would be removed without a replacement being available, so I'm curious if it was something that had to be enabled (isn't turned on by default).
     I had scripts which relied on the log for VM status changes, Event ID 821 (shut down/running/etc), to keep a last-used database for all of the VMs on our cloud.
    Has anyone run in to this problem, or have any idea how I can get get the information that was available in the VM Manager log?
    Thank you.

    I have a similar problem when migrating VMs from Windows 2008 R2 (Non Clustered) Hyper-V to Windows 2012 Hyper Cluster. I had previously migrated about 100 VMs like this with no problem. It appears since upgrading from VMM SP1 Rollup 4 to Rollup 5 this problem
    is happening. All Agents are up to date.
    I can migrate VMs in the cluster no problem.
    I removed the Windows 2008 R2 Hyper-V host and added it back which allowed the job to at least start but when it gets to the final steps of importing the VM it fails with the same error and references the VMM server.
    Others suggest this is a VMM Certificate problem and you can remove the Cluster node and add it back again but I can't do that in a production Cluster with hundreds of VMs. That is not an acceptable solution.
    How can we fix this?

  • Windows8 64 bit , EVENT VIEWER ERROR LOG

    I just got a new windows 8- 64 bit notebook, I have only just set it up yet in event viewer I get lots of Error messages one is HP error ID 2146233088, some are marked
    caution and others are critical and all seem to be under HP, I installed all windows updates and took out the 60 day trial of Norton internet Security 2013 and installed my own, my printer is set up with a USB cable wired, other than that I have only installed
    Microsoft office home and student which I purchased for 3 computers from a retail
    store, can anyone tell me why I would have so many errors showing up on a new computer.
     Thanks.

    Hello,
    The Windows Desktop Perfmon and Diagnostic tools forum is to discuss performance monitor (perfmon), resource monitor (resmon), and task manager, focusing on HOW-TO, Errors/Problems, and usage scenarios.
    Since your post is off-topic, I am moving it to the
    off topic forum.
    Karl
    When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer.
    My Blog: Unlock PowerShell
    My Book:
    Windows PowerShell 2.0 Bible
    My E-mail: -join ('6F6C646B61726C406F75746C6F6F6B2E636F6D'-split'(?<=\G.{2})'|%{if($_){[char][int]"0x$_"}})

  • TopologyDiscovery.vbs event viewer error

    Hi,
    I have noticed the following error in event Viewer on the management server.
    TopologyDiscovery.vbs : Query "SELECT [Id], [BaseMonitoringClassId], [ManagedTypeViewName] FROM [dbo].[ManagedTypeView] WHERE [Name] = 'Microsoft.Windows.CertificateServices.CARole.2008'" did not produce valid results. Please verify your SQL. Cause:
    The SELECT permission was denied on the object 'ManagedTypeView', database 'XXX', schema 'dbo'.
     I'm not too sure if this is causing a specific error but wanted to know if it something that i should pay attention to?
    Thanks

    Hi,
    According to the error message, The SELECT permission was denied on the object 'ManagedTypeView', database 'XXX', schema 'dbo', I would like to suggest you check the SELECT permissions on the object in the database.
    We may compare the permission with other tables and check out the differences.
    Regards,
    Yan Li
    Regards, Yan Li

  • Log pair packets with MARS

    i have IPS 6.2 , added in MARS 6.0 .
    the mars polls events from the IPS normally , &no problem with that.
    but my issue : i configured some P2P signatures in the IPS with the actions (deny packet inline , produce alert , log pair packets). in the IPS device manager i can see in the events tap that the these flows dropped by the IPS as i need , & in the IP Logging tap i can see the dropped packets logs which is normal,
    but my issue is that "i want a report or query from the MARS to show me the denied packets by the IPS " .

    System Rule: Resource Issue: CS-MARS.
    This rule detects resource issues with the CS-MARS device, e.g. dropped events or netflow, etc.
    Resource Issues: CS-MARS - All Events.
    This report lists event details for all events related to resource issues with the CS-MARS device, e.g. dropped events or netflow, etc.
    MARS is able to pull the IP log data from Cisco IDS and IPS devices, however, this operation is system intensive. Therefore, you should select the set of signatures that generate IP log data carefully.
    When configuring the active signatures on a Cisco IDS or IPS device, you must specify the alert action and the action that generates the desired data.
    To view IP logs, you must enable the alert or "produce-verbose-alert" action and the "log-pair-packets" action. "
    It seems that the "log-pair-packets" is only an option to give you "IPlog" information on the MARS.

Maybe you are looking for