topic Re: IDS Database files too big in Network Security

IDS Database files too big

d-g-c — Sun, 10 Mar 2019 09:28:08 GMT

I'm receiving this alert from the management centre for IDS sensors :

Name: IDS database files

Size Limit: 8 GB

Current Usage:128.87% (10.31 GB)

Note: Current usage is more than the recommended limit.

How do I prune the size of these files automatically within cisco works?

Re: IDS Database files too big

Jeffrey Bollinger — Thu, 26 May 2005 16:36:37 GMT

Depends on which version of the IDS MC you're using.

With Security Monitor 2.0, the database pruning is handled automatically by a database pruning daemon. By default, it will prune the database when it hits 2,000,000 events. This default value can be changed by logging into SecMon and going to Admin -> Data Management -> Database -> Pruning Configuration.

Now when the database is pruned, by default it will create an archive of the pruned data in a flat file that is stored in ~\CSCOpx\MDC\secmon\AlertPruneData. This is a directory you will want to watch, because it can grow rapidly. If the archive is no longer needed, it is save to delete these files to reclaim disk space. Another recommended option is to change the pruning directory to a network share so that you don’t have to worry about maintaining that directory. To change the directory, go to Admin -> System Configuration -> Prune Archive Location.

Finally, if you want to change the thresholds at which you are warned, go to Admin -> Data Management -> Files. For each file you can change the value in the Limit column by just clicking on the current value.

For IDS MC 1.2 see this doc:

http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/mon_sec/secmon12/ug/ch07.htm

Re: IDS Database files too big

nickbruno — Fri, 27 May 2005 12:57:11 GMT

I am having the same issue. The idsmc.log is almost 8GB itself. When I try to change the size, it says I do not have the proper space available even thoug I have 5GB of free space. Any ideas?

Re: IDS Database files too big

d-g-c — Thu, 23 Jun 2005 09:33:35 GMT

Whilst my sybase database seems to be getting pruned automatically by SecMon 2.1 my idsmc.log is still growing - it'a almost 12GB now. Did you get a resolution to your problem? Why isn't CW2K managing the size of this file?

Re: IDS Database files too big

cburgarella — Mon, 25 Jul 2005 15:53:33 GMT

Hi had the same problem,

i simply stopped all services by the application, and then removed the idsmdc.log file, that seems not to be the database.

note that you have another file idsmdc.db.

i didn't lost any alert.

Re: IDS Database files too big

koiflowerhorn — Thu, 04 Aug 2005 02:19:40 GMT

Hi! We also encountered pruned data that is increasing so fast as well as the idsmdc.db.

1. Is it safe to delete old files at /opt/CSCOpx/MDC/secmon/AlertPruneData? What would be the importance of these files that we should consider for future use?

2. I understand that information in these pruned data no longer exist at idsmdc.db: Events are pruned from the database when the event tables exceed a specified size. The oldest event records are deleted from an event table first. How come the idsmdc.db is still increasing so fast? What does idsdmc.db comprised of?