Archive after Migration to 6.0.1 / Upgrade 6.0.2

hanspeter.durand · ‎04-01-2009

Dear all,

Yesterday I migrated successfully a CS-MARS 50 from version 4.3.6 to 6.0.1 and also made an update to 6.0.2. After these tasks I enabled archiving again (NFS runs (successfully for months) on a Windows server 2003 R2 machine). Today I had a look at the NFS share. I found the following directories:

pnos

Then under the directory with the backup date:

es

in

st

Having a look at the "Cisco Security MARS Initial Configuration and Upgrade Guide, Release 6.x" there should me more directories:

cf

al

rr

What about these files? Why did the CS-Mars apploiance did not write these data to the nfs server? Any ideas hints?

Besides: There is very few load on that CS-MARS appliance.

ebreniz · ‎04-07-2009

Within each daily directory, subdirectories are created for each data type. The following example

identifies the directory type in the comments.

Directory of D:\MARSBackups\2005-07-08

07/08/2005 04:49p

.

07/08/2005 04:49p

..

07/08/2005 04:49p

CF<-- Configuration Data

07/08/2005 05:00p

IN<-- Incident Data

07/08/2005 05:16p

AL<-- Audit Logs

07/08/2005 05:16p

ST<-- Statistics Data

07/08/2005 05:16p

RR<-- Report Results

07/08/2005 05:49p

ES<-- Raw Event Data

0 File(s) 0 bytes

8 Dir(s) 4,664,180,736 bytes free

The .gz filename in the raw event data directory identifies the period of time that the archived data spans in a

YYYY-MM-DD-HH-MM-SS format. Directory of D:\MARSBackups\2005-07-08\ES

07/08/2005 05:49p

.

07/08/2005 05:49p

..

07/08/2005 05:49p 34,861 es-3412-342_2005-07-08-16-49-52_2005-07-08-17-49-47.gz

07/08/2005 05:49p 31,828 rm-3412-342_2005-07-08-16-49-52_2005-07-08-17-49-47.gz

07/08/2005 06:49p 49,757 es-3412-342_2005-07-08-17-49-49_2005-07-08-18-49-40.gz

07/08/2005 06:49p 48,154 rm-3412-342_2005-07-08-17-49-49_2005-07-08-18-49-40.gz

07/08/2005 07:49p 24,420 es-3412-342_2005-07-08-18-49-45_2005-07-08-19-49-52.gz

07/08/2005 07:49p 22,346 rm-3412-342_2005-07-08-18-49-45_2005-07-08-19-49-52.gz

07/08/2005 08:50p 44,839 es-3412-342_2005-07-08-19-49-47_2005-07-08-20-50-04.gz

07/08/2005 08:50p 41,534 rm-3412-342_2005-07-08-19-49-47_2005-07-08-20-50-04.gz

07/08/2005 09:50p 58,988 es-3412-342_2005-07-08-20-49-55_2005-07-08-21-50-06.gz

07/08/2005 09:50p 54,463 rm-3412-342_2005-07-08-20-49-55_2005-07-08-21-50-06.gz

07/08/2005 10:50p 130,604 es-3412-342_2005-07-08-21-49-58_2005-07-08-22-50-08.gz

07/08/2005 10:50p 85,437 rm-3412-342_2005-07-08-21-49-58_2005-07-08-22-50-08.gz

07/08/2005 11:50p 114,445 es-3412-342_2005-07-08-22-49-55_2005-07-08-23-50-10.gz

07/08/2005 11:50p 58,240 rm-3412-342_2005-07-08-22-49-55_2005-07-08-23-50-10.gz

07/09/2005 12:50a 110,556 es-3412-342_2005-07-08-23-50-02_2005-07-09-00-50-14.gz

07/09/2005 12:50a 53,977 rm-3412-342_2005-07-08-23-50-02_2005-07-09-00-50-14.gz

16 File(s) 964,449 bytes

2 Dir(s) 4,664,164,352 bytes free

The following is an example of the data found in the configuration data directory.

6-27

Install and Setup Guide for Cisco Security Monitoring Analysis and Response System

78-17019-01

Chapter 6 Administering the MARS Appliance

Configuring and Performing Appliance Data Backups

Directory of D:\MARSBackups\2005-07-08\CF

07/08/2005 04:49p

.

07/08/2005 04:49p

..

07/08/2005 02:02a 2,575,471 cf_2005-07-08-02-02-02.pna

1 File(s) 2,575,471 bytes

2 Dir(s) 4,664,164,352 bytes free

For further details please follow the PDF link:

http://www.cisco.com/en/US/docs/security/security_management/cs-mars/4.2/installation/guide/ig42x.pdf

and the Topic Configuring and Performing Appliance Data Backups