Re: IME event archival

mark.barrett · ‎06-03-2011

Is there any mechanism for creating backups of Events which have been written to the Event Store? I'm looking for ways to maintain logs of Events, in case they need to be referred to later. Normally, my understanding is the older Events are over-written when the Event Store reaches its capacity.

Dustin Ralich · ‎06-08-2011

Sensors make use of a 32 MB circular buffer in memory to store event data. As new events occur, the buffer fills, when it reaches capacity, the new events override the oldest events. As such, they are not designed for long-term storage, but instead, this buffer serves as temporary storage for event data long enough for a configured remote monitoring system(s) to poll the sensor for data and copy it off for long-term storage.

Remote monitoring applications/devices such as IME (IPS Manager Express) or CS-MARS should provide the functionality you are seeking (long-term storage of event data, that can also be backed-up).

mark.barrett · ‎06-15-2011

So, it appears that IME has some capability to create archive files. But the instructions contained in the document entitled "Installing and Using Cisco Intrusion Prevention System Manager Express 7.1", page 1-11 are very sparse. So, I have the following questions about this process.

1. Where are these archive files located? I cannot seem to find them on the machine I am running IME from. Is there a naming convention for these files that I could use to recognize them?

2. Are these archive files created only when the IME is actually running? Is there a way to create them manually, or do I have to schedule it with the IME interface? (It's hard to understand what's going on - again, the documentation doesn't have very much detail on the archive process.)

3. Are the archive files saved in a readable format, or do they need to be re-imported back into the IME? If so, is that process documented somewhere?

Farrukh Haroon · ‎06-16-2011

Hello Mark

1) IME has an internal mySQL database used for storing events.

Please see:

http://www.cisco.com/en/US/docs/security/ips/6.1/configuration/guide/ime/ime_getting_started.html#wp1233091

2) IME installs itself as a service, and continues to store and build events in the background.

3) IME events can be exported as mentioned on the following page:

http://www.cisco.com/en/US/docs/security/ips/6.1/configuration/guide/ime/ime_getting_started.html

"IME contains menu features that help you configure various aspects of IME.

•File > Export—Lets you export event data from the IME database in to a CSV file"

Please rate if the input is helpful,

Regards

Farrukh

mark.barrett · ‎07-12-2011

Ok, so here is what I am able to gather so far:

- IME collects & stores IPS alarms

- There is a method for exporting this information to CSV (I had tried this prior to creating this thread, at best I can export 24 hours worth of data in a single CSV file)

- The IME can be configured to archive data, up to 400 archive files and up to 1,000,000 events per file

Now, the question becomes, if I want to store this archive information someplace (ie, offsite storage) or create a backup of these archives, how would I do it? What files in what directories would I need to backup.

This information appears to be beyond the scope of the IME documentation - I can open a support ticket, but hopefully someone has already encountered this and might have a quick answer.

mark.barrett · ‎07-19-2011

Just to provide some further information in the context of this forum...I found out the following information which answered this question.

IME stores the archive files in

C:\Program Files\Cisco Systems\Cisco IPS Manager Express\MYSQL\data\alarmDB

all files in this folder can be backed up and saved for future reference if needed.

Also, the IME Service is what actually enables logging, so if the computer running IME is brought down for any reason then no logging will be done until the IME Service is able to communicate with the IPS devices again.