Advertisement
Chapter 6
Administering the MARS Appliance
Archive Intervals By Data Type
MARS archives data either daily or in near real time based on the type of data. Therefore, all the data in
the MARS internal storage (local database) should be in the NFS storage as well, give or take a day's
worth of specific types of data.
MARS data consists of four types:
1.
2.
3.
4.
Configuration data, audit trails, and statical data is written to database first. During archival time, data
is written to local files and archived from those files. However, dynamic and event data is written in
parallel to both the database and to local files. Therefore, even if the data has been archived, it is likely
to still be in the database.
In other words, dynamic and event data is initially stored in two locations: the NFS archive and MARS
database. Later, when the MARS database partition becomes full, the database purge operation occurs
to make room for new events—but those events and incidents were archived prior to the purge operation.
Once data is purged from the MARS local database, it can not be queried. Queries and reports operate
Note
only on the data in the MARS database.
To account for temporarily unavailable NFS servers, the files for all data types are stored locally on the
MARS Appliance for one day before they are purged. When you enable archiving in the web interface,
you must also define the parameters for retaining the data in the NFS archive. As a result, MARS
performs simple data maintenance on the NFS server by purging data outside the range specified in the
Remote storage capacity in Days field of the Data Archiving page. For example, the storage capacity
value is 365 days, then all data older than one year is purged from the NFS server.
Refer to
Table 6-2
Archive Interval Description(4.3.1 and 5.2.4 and later)
Archive Folder and Data Type Description
AL: Audit log information
CF: Configuration information
ES: Events, sessions, and raw messages
IN: Incidents
OL-14672-01
2 Dir(s)
4,664,164,352 bytes free
configuration data, such as topology and device settings, which is archived daily
audit trails of MARS web interface activity and MARS report results, which are archived daily
MARS statistics, such as charts in Summary/Dashboard, which are archived hourly
dynamic and event data, such as events, sessions, and incidents, which are archived quickly so they
do not tax the MARS Appliance's local storage.
Table 6-2
for the archive interval for each type of data.
Archive Interval
Once per day at 2:00 a.m.
Once per day at 2:00 a.m.
Every 10 minutes or when 3 MB (compressed)
file size is reached, whichever threshold is met
first.
Immediately
Configuring and Performing Appliance Data Backups
Max. Interval
(in minutes)
n/a
n/a
10 minutes
1 minute
Install and Setup Guide for Cisco Security MARS
Schedule
Daily at
2 a.m.
Daily at
2 a.m.
n/a
1
n/a
6-23
Advertisement
Chapters
Troubleshooting
