One MARS for archived events investigation?

Unanswered Question
Sep 13th, 2010


I am concerning about the way to use only one MARS applience for archived logs re-activation and investigation on the same machine. Is it possible or the second applience is the only option? Why MARS can not operate with archived events on a sigle box?

Thank you.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
mikecrowe4ICS_2 Mon, 09/13/2010 - 16:52

When MARS does a restore for an archive, think of it like loading a ghost image on a Windows server.  It restores EVERYTHING, including the configuration, event data, and even the OS (optional).  So, the archive acts like a snapshot of the system at that time.

But to do that, it has to replace the current information.  Thus, the reason data can't be restored on a single box, while still operating normally.

From the MARS "Initial Configuration And Upgrade Guide":

"The reason to use a separate appliance to study old data is that you must restore the period data to the appliance, and the restore re-images all configuration and event data based on the archive settings for the defined period."

And later in the same guide:

"A restore operation does not allow for incremental  restores of event data only. It always performs a complete reimage of  the harddrive in the target appliance."

Hope that helps.


This Discussion