Solved: Memory and Disk Usage on my 4235 &4250 IDS sensor.

koiflowerhorn · ‎08-15-2005

My ids sensor memory usage shows a 99% utilization and the hardisk is already 5G out of 15 Gig. Below is the is log from "show ver"

Using 398913536 out of 1980493824 bytes of available memory (99% usage)

Using 5G out of 15G bytes of available disk space (66% usage)

- only the med and high severity signature is enabled. Why does the sensor utilized such memory?

- Does the IDS sensor has a database which stores the logs that causes the hardisk to utilized such space? (considering that it has IDM management)

- Or any other reason why does the hardisk used large disk space considering that is new and uptime is only 2 months?

- Do update of signature file is to large that takes up such large space on the HDD?

Hope anyone could give me an idea why is this so.

jamesand · ‎08-16-2005

As I stated earlier, there is no a problem with the disk space usage. The memory usage bug is fixed in the 5.X product not 4.X. However, there are quite a few good bug fixes in the 4.1(4g) engineering patch.

The actual memory usage number can be determined from the service account by entering the following command:

bash-2.05a$ free

total used free shared buffers cached

Mem: 1934076 1424896 509180 0 18284 1214536

-/+ buffers/cache: 192076 1742000

Swap: 522072 0 522072

The "Mem:" row, "used" column is the amount of memory (in kilobytes) that

the "show version" command reports. However, this total includes the

"cached" amount.

So in the above example, the actual memory used is ( 1424896 - 1214536 ), or

210360 KB. This is ( 210360 / 1934076 * 100 ), or 10.9% of total memory.

View solution in original post

jamesand · ‎08-16-2005

Assuming you are running 4.X, the memory usage is incorrect in the show version command. It does not take into account the cached memory that the operating system provides (the real percentage will be lower).

The 5G of storage includes a 4G eventstore which is a circular file of all events generated on the sensor (alerts, status, and error events). The disk usage should not grow significantly over the life of the sensor.

koiflowerhorn · ‎08-16-2005

The disk usage 2 months ago was 400MB and now its 5 GB. The IDS is running for 2 months only. If would forecast it the disk will be full before 1 year.

Also, where exactly from the ids that it stores the event? does it have its own database like the CiscoWorks VMS?

jamesand · ‎08-16-2005

The eventstore that I mentioned before is a circular file of events (events that are pulled from the sensor by monitoring applications like VMS) with a 4G max limit. A brand new sensor will have an empty eventStore that will not register in the disk usage accounting (will not be reflected in the show ver disk usage status). As events get generated by the various apps on the sensor (primarily sensorApp generating alerts when signatures fire), the eventStore grows in size as will the disk usage number. However, when the eventStore is full at 4 gig, it will wrap and the oldest events will be overwritten. At this point, the disk usage number should not grow significantly with the exception of minor increases that come with sigupdates.

koiflowerhorn · ‎08-16-2005

Thank You very much for that info.

May I now what is the file or directory of the evenstore from th IDS so that at least I could see it first hand?

vpoole · ‎08-16-2005

I believe there is a known bug that causes this type of issue, which was fix in patch level g. What patch level are you at? Currently patch level h is available.

http://www.cisco.com/cgi-bin/tablebuild.pl/ids-patches

koiflowerhorn · ‎08-16-2005

Hi vpoole,

My IDS 4250 and 4235 is Version 4.1(4)S165. What exactly this patch did resolved, the memory or disk space??

Thanks.

jamesand · ‎08-16-2005