I wanted to post some more information, maybe some can help me as to what our issue might be.
Monday, August 6th, 10:49am CT four Rogue Alerts came into our Email:
Went to UDT at 10:57pm and observed there were four Active Alerts for the below MAC IDs:
Went to the MAC White list that we are using, I verified that three out of the four MAC Addresses were already in our whitelist. MAC ID **:**:**:**:19:CA was not in the White List, I added it.
I proceeded to acknowledge these all four alerts.
Anybody seen anything similar to this?
Actually is anyone using Rogue Alerts at all?
Are these nodes that are causing the false positive alerts connecting to your network via a different method than your other nodes? e.g through WiFi?
These are all on Cisco switches, we do not have any WiFi devices on our network. The devices in this example are a printer, a laptop, a security camera, and a VM.
I do believe you are in need up an update; per SolarWinds.
If I am reading this correct, the issue should be resolved with UDT 3.3. If you are running 3.3 or 3.3.1 then something may have happened with the installer. I would check to make sure all your key services are present and possibly run a repair on the install if 3.3 or later.
If a repair (and Configuration Wizard run) with 3.3 does not fix the issue then a support case may be in order to determine what is the underlying cause.
Loop1 Systems: SolarWinds Training and Professional Services
I've seen this article, we've been on 3.3.1 since June, we were on 3.3 before that. The problem we are having is rogue alerts being created, the devices are not showing as a Rogue Device but an Alert is being generated as if they were a Rogue Device.
1 - we add a device to our network that has a unique MAC ID that is not in our Whitelist
2 - a few hours later (depending on polling time) we get anywhere from 4 - 15 Rogue Alerts. (above example was 4)
3 - we check UDT and only one device of the MAC addresses from the alerts is listed as a Rogue Device.
4 - however, 4 - 15 Rogue alerts are listed. (above example is 4)
5 - check whitelist and all but 1 of the alerts have a MAC that is not in our whitelist
We've opened a ticket with support. So far we've just rebuilt the alert and are waiting to see if that fixes the issue.
Interesting, So which Rogue alerts do you have enabled? And which ones specifically are coming through in these instances?
MAC, IP, DNS?
In any of these events do the MAC's end up being from the same device?