Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
467
Views
5
Helpful
2
Replies

Retrieving Data from Archive

PaulWelc
Level 1
Level 1

‎10-16-2008 09:25 AM

Silly question, I just started archiving data to a NFS share. If I want to search that archived data what is the process? Thanks

Labels:
0 Helpful
2 Replies 2

mhellman
Level 7
Level 7

‎10-17-2008 05:18 AM

There is no way to do that today using MARS. The RAW messages are just gzipped files in the archive though, so you could search them yourself. On a Linux box, you could do something like this:

Say I want to find any raw messages with a give username in them during october:

cd /archive-dir/

find ./2008-10*/ES/ -type f -name rm-* | xargs zgrep -i

There are lots of variations on the above. Take a look at the archive directory structure. Each day has its own directory. The gzipped raw messages are stored in the ES directory and start with "rm-". They have the date/hour range in the filename so you can easily narrow down the list of files to search through using date/hour. So, to only look for events in October for the above user that occured between 7-9am(roughly):

find ./2008-10*/ES/ -type f -name rm-*_2008-10-01-0[6-9]* | xargs zgrep -i

PaulWelc
Level 1
Level 1
In response to mhellman

‎10-17-2008 05:57 AM

Thanks mhellman. I notice when I do a diskusage command at the CLI it sees the archive disk. Do you know if MARS would actually search the archive partition for any information if it can't find it on the local hard drive?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents