cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
255
Views
0
Helpful
3
Replies

How to check if the IDS Pruning utility has been working successfully?

laimf
Beginner
Beginner

Hi,

I've this CW2KVMS 1.0 server running few mths ago & noticed that the syslog file under the CSCOpx\log\ directory is keep on increasing its size. Besides, every time I launched the event viewer from the IDS Security Monitory, it says that the no. of alarms has reached the limit.

So, I've tried to run the IDS pruning utility at command prompt with command "IdsPruning -r"alert,syslog" -c10000". How do we check if the size of the syslog/ event viewer database has decreased?

Thanks alot,

Moh Fun.

3 Replies 3

jpalani
Beginner
Beginner

Generate an Audit log report to check whether the alarms are pruned. The audit log would also show the number of records purged, as below.

2003-06-10 18:05:42 IST 0.0.0.0 Monitoring Center for Security IDS_Database Prune information IDS Purge Utility Complete.

2003-06-10 18:05:41 IST 0.0.0.0 Monitoring Center for Security IDS_Database Prune information IDS Purge: 0 syslog records purged.

2003-06-10 18:05:41 IST 0.0.0.0 Monitoring Center for Security IDS_Database Prune information IDS Purge: 10001 alert records purged.

2003-06-10 18:04:08 IST 0.0.0.0 Monitoring Center for Security IDS_Database Prune information IDS Purge Started. Command Line: IdsPruning -ralert,syslog -c10000

But however, the DB size would not reduce(which is the behavior of sybase db) after the pruning utility is run. The next release (1.2) has a utility called dbcompact which will compact the database.

ywadhavk
Cisco Employee
Cisco Employee

Hi Moh,

You should at least get the IDSMC/Secmon to version 1.1

Once you are done pruning then, run the backup from under the Security/VPN management tab-->Common Services--> database.....

This operation will reset the log file and you can reclaim the space. As mentioned by earlier post, the 1.2 would be much better as the dbcompact utility will also help you shrink the DB file after pruning is carried out.

Hope this helps.

Thanks,

yatin

Hi Yatin,

Thanks for the advice. Following your advice, I've tried to perform an upgrade to the CW2K VMS1.1.1. But, unfortunately, I couldn't able to launch both the IDS MC & Security Monitor after the upgrade.

Following are the procedures performed during the upgrade.

i. Execute the downloaded file "fcs-IDSMC-v1.1-w2k-k9.exe" to upgrade the current vms1.0 to 1.1.

ii. As the vms1.0 is said to have bugs, i've then execute the file "fcs-IDSMC-v1.1.1-w2k-k9.exe" to upgrade the newly upgraded vms1.1 to 1.1.1.

iii. When it's been installed successfully, I've then tried to check the Cw2K services and noticed that after all the cw2k services started, the "Cisco Secure PostOf