I am using the default "Alert me whe a rogue MAC address appears on the network" alert.
My understanding is that it should go off when the MAC address of a device is not in our white list. I have a device that passes the DNS and IP address rules just fine and is not in any of our Whie Lists. The device gets put in the Rogue Devices list, but the alert does not trigger. When I go to the Manage White list and do the "Test a device against all inclusion rules" with the MAC address it says the MAC address passes because it has passed the DNS rule. I'm completely confused on this. Any idea where I should start?
Solved! Go to Solution.
Did you disabled those rules provided by default which are excluding all IPs/MACs/Hostnames from being considered rogue? That, once you created your custom white-lists should be the first step. Then, if the new MAC alert wasn't created, couldn't it be that it wasn't actually new and already in the database of UDT?
The default rules are disabled only my white lists are enabled. This happens on a machine that we just took out of the shipping box and plugged into the network. I've noticed one more thing. I am getting alerts on devices whos IP is in my ignore list.
So you did see the device connected in UDT and yet, didn't recieve any alert? The way the whitelist works is that each of the variables - MAC/IP/Hostname needs to be added manualy otherwise you get an alert. Couldn't it be that while the IP was on the ignore list, the respective MAC/Hostname wasn't?
The device appeared in my Rogue Devices list, but did not generate an alert. The IP that it received is not one of the ones on my ignored list. The device passed the IP and hostname rules, but should be failing on the MAC rule.
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 150,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.