08-15-2005 08:39 PM - edited 03-10-2019 01:35 AM
My ids sensor memory usage shows a 99% utilization and the hardisk is already 5G out of 15 Gig. Below is the is log from "show ver"
Using 398913536 out of 1980493824 bytes of available memory (99% usage)
Using 5G out of 15G bytes of available disk space (66% usage)
- only the med and high severity signature is enabled. Why does the sensor utilized such memory?
- Does the IDS sensor has a database which stores the logs that causes the hardisk to utilized such space? (considering that it has IDM management)
- Or any other reason why does the hardisk used large disk space considering that is new and uptime is only 2 months?
- Do update of signature file is to large that takes up such large space on the HDD?
Hope anyone could give me an idea why is this so.
Solved! Go to Solution.
08-16-2005 04:58 PM
As I stated earlier, there is no a problem with the disk space usage. The memory usage bug is fixed in the 5.X product not 4.X. However, there are quite a few good bug fixes in the 4.1(4g) engineering patch.
The actual memory usage number can be determined from the service account by entering the following command:
bash-2.05a$ free
total used free shared buffers cached
Mem: 1934076 1424896 509180 0 18284 1214536
-/+ buffers/cache: 192076 1742000
Swap: 522072 0 522072
The "Mem:" row, "used" column is the amount of memory (in kilobytes) that
the "show version" command reports. However, this total includes the
"cached" amount.
So in the above example, the actual memory used is ( 1424896 - 1214536 ), or
210360 KB. This is ( 210360 / 1934076 * 100 ), or 10.9% of total memory.
08-16-2005 05:41 AM
Assuming you are running 4.X, the memory usage is incorrect in the show version command. It does not take into account the cached memory that the operating system provides (the real percentage will be lower).
The 5G of storage includes a 4G eventstore which is a circular file of all events generated on the sensor (alerts, status, and error events). The disk usage should not grow significantly over the life of the sensor.
08-16-2005 03:27 PM
The disk usage 2 months ago was 400MB and now its 5 GB. The IDS is running for 2 months only. If would forecast it the disk will be full before 1 year.
Also, where exactly from the ids that it stores the event? does it have its own database like the CiscoWorks VMS?
08-16-2005 04:47 PM
The eventstore that I mentioned before is a circular file of events (events that are pulled from the sensor by monitoring applications like VMS) with a 4G max limit. A brand new sensor will have an empty eventStore that will not register in the disk usage accounting (will not be reflected in the show ver disk usage status). As events get generated by the various apps on the sensor (primarily sensorApp generating alerts when signatures fire), the eventStore grows in size as will the disk usage number. However, when the eventStore is full at 4 gig, it will wrap and the oldest events will be overwritten. At this point, the disk usage number should not grow significantly with the exception of minor increases that come with sigupdates.
08-16-2005 06:03 PM
Thank You very much for that info.
May I now what is the file or directory of the evenstore from th IDS so that at least I could see it first hand?
08-16-2005 06:18 AM
I believe there is a known bug that causes this type of issue, which was fix in patch level g. What patch level are you at? Currently patch level h is available.
08-16-2005 03:38 PM
Hi vpoole,
My IDS 4250 and 4235 is Version 4.1(4)S165. What exactly this patch did resolved, the memory or disk space??
Thanks.
08-16-2005 04:58 PM
As I stated earlier, there is no a problem with the disk space usage. The memory usage bug is fixed in the 5.X product not 4.X. However, there are quite a few good bug fixes in the 4.1(4g) engineering patch.
The actual memory usage number can be determined from the service account by entering the following command:
bash-2.05a$ free
total used free shared buffers cached
Mem: 1934076 1424896 509180 0 18284 1214536
-/+ buffers/cache: 192076 1742000
Swap: 522072 0 522072
The "Mem:" row, "used" column is the amount of memory (in kilobytes) that
the "show version" command reports. However, this total includes the
"cached" amount.
So in the above example, the actual memory used is ( 1424896 - 1214536 ), or
210360 KB. This is ( 210360 / 1934076 * 100 ), or 10.9% of total memory.
08-16-2005 06:07 PM
Thanks. This is very useful.
08-17-2005 01:34 PM
I have a 4235 had similar problem and could not update to signature -S182. Memory usage showed 98%.
Applied the said patch "h" and memory usage dropped to 27%. I updated the signatures and the IDS is working perfectly after the "h" patch. The patch "h" works and I will even install on my other IDS(s).
08-17-2005 05:03 PM
Sweet!! I applied the patch and it indeed worked!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide