6 Replies Latest reply on Aug 9, 2018 10:58 AM by cahunt

    Rogue Alerts Issues with UDT

    dcokers

      We have recently implemented Rogue alerts in UDT. This is notifying us of items showing up as Rogue devices, those that are not in our approved MAC address white list.

       

      The only problem is it seems like we keep getting Rogue Alerts for devices that are already in our whitelist. For example, we've been installing new printers at several locations. This morning when I installed a new one a few hours later we got a rogue alert for that device (working as designed) but then we also got 5 additional alerts for printers that we had already installed. We had already acknowledged those printer's rogue alerts, and those printers were already in the white list. I thought for a few weeks this was just a fluke but that has occurred numerous time to the point where my staff is spending more time searching for invalid alerts than valid alerts.

       

      Is anyone using Rogue alerts? Have you seen similar problems to this?

       

      The potential for this feature in UDT, especially as far the the SANS controls go, is great. However barriers to getting this to work seem great as well.

        • Re: Rogue Alerts Issues with UDT
          dcokers

          I wanted to post some more information, maybe some can help me as to what our issue might be.

           

          Monday, August 6th, 10:49am CT four Rogue Alerts came into our Email:

           

          Went to UDT at 10:57pm and observed there were four Active Alerts for the below MAC IDs:

          **:**:**:**:F2:A4
          **:**:**:**:75:4E
          **:**:**:**:91:27
          **:**:**:**:19:CA

           

          Went to the MAC White list that we are using, I verified that three out of the four MAC Addresses were already in our whitelist. MAC ID **:**:**:**:19:CA was not in the White List, I added it.

           

           

          I proceeded to acknowledge these all four alerts.

           

          Anybody seen anything similar to this?

          Actually is anyone using Rogue Alerts at all?

          • Re: Rogue Alerts Issues with UDT
            cahunt

            I do believe you are in need up an update; per SolarWinds.

            Whitelisted items still show as Rogue devices - SolarWinds Worldwide, LLC. Help and Support

            If I am reading this correct, the issue should be resolved with UDT 3.3.  If you are running 3.3 or 3.3.1 then something may have happened with the installer. I would check to make sure all your key services are present and possibly run a repair on the install if 3.3 or later.

             

            If a repair (and Configuration Wizard run) with 3.3 does not fix the issue then a support case may be in order to determine what is the underlying cause.

             

             

            -CharlesH

            Loop1 Systems: SolarWinds Training and Professional Services

              • Re: Rogue Alerts Issues with UDT
                dcokers

                I've seen this article, we've been on 3.3.1 since June, we were on 3.3 before that. The problem we are having is rogue alerts being created, the devices are not showing as a Rogue Device but an Alert is being generated as if they were a Rogue Device.

                 

                Typical timeline:

                1 - we add a device to our network that has a unique MAC ID that is not in our Whitelist

                2 - a few hours later (depending on polling time) we get anywhere from 4 - 15 Rogue Alerts. (above example was 4)

                3 - we check UDT and only one device of the MAC addresses from the alerts is listed as a Rogue Device.

                4 - however, 4 - 15 Rogue alerts are listed. (above example is 4)

                5 - check whitelist and all but 1 of the alerts have a MAC that is not in our whitelist

                 

                We've opened a ticket with support. So far we've just rebuilt the alert and are waiting to see if that fixes the issue.