How does the CSMARS database storage functioning? We experienced with 1 incident where the disk corrupted and the appliance have to be replace. We did not backup all the data but only managed to setup daily archived, the problem occurred when we wanted to retrieved the old syslogs data from the security devices/appliances that integrated with CSMARS. Is there any method that we can used to retrieve back the previous syslogs that have not been stored in CSMARS database, and send it again to CSMARS from the devices/appliances?

When you run pnrestrore the mars DB is reset (cleared out). ie: you will only recover the available archive directories. I checked this in the lab. During the pnrestore you will see

Recreating the database schema.
Importing data into database ...

Prior to the restore I had 10 days worth of data, having deleted days 2-10 from the archive, I restored and only had the previous days data.

You can see the event DB size (afaik) using the diskusage command (/dev/sda11 0 /u02)

[pnadmin]$ version
6.0.6 (3368) 35
[pnadmin]$ model
CS-MARS-25
[pnadmin]$ diskusage
Filesystem            Size  Used Avail Use% Mounted on
/dev/hda2             857M  607M  207M  75% /
/dev/hda1             125M   16M  103M  14% /boot
/dev/sda6             9.9G  180M  9.2G   2% /log
/dev/sda5             9.9G  1.3G  8.1G  14% /opt
/dev/sda7              32G  566M   30G   2% /pnarchive
none                 1012M     0 1012M   0% /dev/shm
/dev/sda8             9.9G   34M  9.4G   1% /tmp
/dev/sda9             9.9G  2.5G  6.9G  27% /u01
/dev/sda11            135G   13G  116G  10% /u02
/dev/sda10            9.9G  8.1G  1.3G  87% /u03

Matthew

Thank you again Matthew fro your reply,

i would like to ask you if there is a document talking about the below mentioned folders and what do they mean? each folder names belongs to what?

!

pnadmin]$ model
CS-MARS-25
[pnadmin]$ diskusage
Filesystem            Size  Used Avail Use% Mounted on
/dev/hda2             857M  607M  207M  75% /
/dev/hda1             125M   16M  103M  14% /boot
/dev/sda6             9.9G  180M  9.2G   2% /log
/dev/sda5             9.9G  1.3G  8.1G  14% /opt
/dev/sda7              32G  566M   30G   2% /pnarchive
none                 1012M     0 1012M   0% /dev/shm
/dev/sda8             9.9G   34M  9.4G   1% /tmp
/dev/sda9             9.9G  2.5G  6.9G  27% /u01
/dev/sda11            135G   13G  116G  10% /u02
/dev/sda10            9.9G  8.1G  1.3G  87% /u03

!

if "/dev/sda11" is related to hard disk size, what about other "/dev"s?

concerning the second point of my previous reply, what could be the reason behind the system erro ocured while trying to create a new rule?

thank you again.

Is it possible if we pull the old syslog or raw messages from the devices whereas CSMARS does not stored the contents in its database?

Thank you Matthew for your reply,

• what i could conclude from the file is that for CS-Mars there is something called "System Log Message EPS" which is i guess a constant value related to the mars model specification, and there is the SDEE EPS that can be calculated through a IME statistics.i am not sure if they mean by IME statistics the connection of cs-mars with syslog server or something else.

also i knew that the IPS/IDS Event Sie is 500 bytes/event.
but i am not able to know what is the current size of CS-Mars HardDisk? and the Current size of the CS-Mars DB?
my CS-mars type is CS-Mars-25.
i maybe noticed that this type has no raid, but could it be without HArdDrive?

the show health info indicates a memory size of 2GB that i think it is the ram size.

note: What is mentioned that the CS-Mars will store up to 1.5MB including any captured packets. (ref. cs_mars_sizing_estimate file page 7/8) what could that means?

• About Creating a rule with certain criteria and add recepient address, while trying to add a rule i faced a
  System error
  Please contact technical support.

       Could it be a memory Leak?! or any other thing related to available memory space, because it took long time arroung 15 minutes to generate this issue, and also when connecting on console as ssh2 also facing some lateness.

learnsec 0,

The 1.5 MB is the limitation of single raw message size. Refer to User Guide (http://www.cisco.com/en/US/partner/docs/security/security_management/cs-mars/6.1/device/configuration/guide/GbkDcnfgd.html) section About Raw Message Size Limitations and Storage Location.

"Before the 5.2.4 release, the storage of raw message data in the local database was restricted to 500 KB
per message. Beginning with 5.2.4, the raw message size is stored in local files that can be up to 1.5 MB
without being truncated."

Regards,

Gintautas

Hello Gantautas,

thank you for your reply.

but what do you mean by truncated?

when raw messages are truncated? and how?

when we say raw messages we do  mean the logs collected from IPS devices right? not the logs of the appliance itself as a device!

learnsec 0,

Truncated refers to a raw message being made smaller. For exaple, if your IPS somehow generates a raw message as large as 1.7 MB the MARS applience would store only 1.5 MB of the message payload. That's how I understand it. Refering to cisco:

"It is important to note that CS-MARS stores only 1.5 MB of data per alarm. If payload data is sent to the CS-MARS, it is displayed in its ASCII format but  could be truncated because of its length."

But it has very little in common speaking about the size of storage.

Regards,

GP