Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
605
Views
4
Helpful
1
Replies

One MARS for archived events investigation?

gintautas.pusinskas
Level 1
Level 1

‎09-13-2010 08:03 AM

Hello,

I am concerning about the way to use only one MARS applience for archived logs re-activation and investigation on the same machine. Is it possible or the second applience is the only option? Why MARS can not operate with archived events on a sigle box?

Thank you.

Regards,

Gintas

Labels:
0 Helpful
1 Reply 1

mikecrowe4ICS_2
Level 1
Level 1

‎09-13-2010 04:52 PM

When MARS does a restore for an archive, think of it like loading a ghost image on a Windows server.  It restores EVERYTHING, including the configuration, event data, and even the OS (optional).  So, the archive acts like a snapshot of the system at that time.

But to do that, it has to replace the current information.  Thus, the reason data can't be restored on a single box, while still operating normally.

From the MARS "Initial Configuration And Upgrade Guide":

"The reason to use a separate appliance to study old data is that you must restore the period data to the appliance, and the restore re-images all configuration and event data based on the archive settings for the defined period."

And later in the same guide:

"A restore operation does not allow for incremental  restores of event data only. It always performs a complete reimage of  the harddrive in the target appliance."

Hope that helps.

Customers Also Viewed These Support Documents