Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1480
Views
0
Helpful
6
Replies

ACS 5.3 - Restoring purged data?

Go to solution
Paul Masterton
Level 1
Level 1

‎07-15-2012 09:05 AM - edited ‎03-10-2019 07:18 PM

Hello All,

I think I understand purging in ACS5 now:

  1. Purging occurs when the database either gets too large or when data is too old (up to 12 months, although I assume you can leave the setting blank and no age related purging takes place?)
  2. Data is purged by making incremental backups and deleting the backed up data from the local database until the size/age pressure is relieved

So, my question is, how do I later look at the purged data? If I suddenly need to look at logs from last year what am I supposed to do? If I restore it surely I'm just going to go over the size limit again and it'll just get purged, no?

Or is there something I'm missing?

Paul

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to Paul Masterton

‎07-15-2012 11:28 AM

No problem, if you configure database purging with incremental backup, the purging should occur at the same time in order to avoid the database getting to a point where it gets too large.

Here is the user guide for reference:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/viewer_sys_ops.html#wp1068157

Thanks,

Tarik Admani

-Please remember to rate helpful posts!-

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni

‎07-15-2012 10:20 AM

Paul,

Answers inline:

  1. Purging occurs when the database either gets too large or when  data is too old (up to 12 months, although I assume you can leave the  setting blank and no age related purging takes place?)

The database purging occurs at the end of every month if you have incremental backup disabled.

    2. Data is  purged by making incremental backups and deleting the backed up data  from the local database until the

        size/age pressure is relieved

That is correct I assume you are using nfs since this requires a backup staging configuration.

So,  my question is, how do I later look at the purged data? If I suddenly  need to look at logs from last year what am I supposed to do? If I  restore it surely I'm just going to go over the size limit again and  it'll just get purged, no?

That is a great question, at this point the only reliable option is to deploy another ACS server that is dedicate for logs monitoring, so that in case you need to go back and do some research that this ACS can restore the backup of the purged data and provide the information that you need. Using a production server will not be the best option because it is assume that the amount of data that is being sent to this server in the first place has enough on its plate. However, lets see if anyone else can confirm from Cisco.

Or is there something I'm missing?

Thanks,

Tarik Admani

0 Helpful

Go to solution
Paul Masterton
Level 1
Level 1
In response to Tarik Admani

‎07-15-2012 10:40 AM

Tarik,

Cheers for your answers!

Just a couple of quick clarifications...

  1. I have configured incremental, so if my description correct in that case?
  2. Ah, I was going to use TFTP or SFTP, will that not work then? (I had assumed the backup was made locally and then copied off)
  3. I guess I could use one of the 90 day free trial licenses to spin up a reporting ACS VM in that case? (I assume they're fully featured and would allow that)

Thanks again, much appreciated!

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to Paul Masterton

‎07-15-2012 11:09 AM

Paul,

  1. I have configured incremental, so if my description correct in that case? - If you have configured incemental backup then incremental backups take place daily. Here is the quote from the user guide "If you enable incremental backup, data is purged  daily at 4:00 a.m. at the local time zone where the ACS instance that  runs the View process is located."
  2. Ah, I was going to use TFTP or SFTP, will that not work then? (I had assumed the backup was made locally and then copied off), I can not find where this documented but your best bet is to use ftp, i would also explore nfs if you have the resources handy.
  3. I  guess I could use one of the 90 day free trial licenses to spin up a  reporting ACS VM in that case? (I assume they're fully featured and  would allow that) Yes you will be able to use this but configure the VM so that it allows the data to be backed up (500GB hard disk), also keep in mind that once you install a temp license that you can not reinstall or install another temp licenses on an existing server. You will have to reimage and have a new temp license generated.

Thanks,

Tarik Admani

0 Helpful

Go to solution
Paul Masterton
Level 1
Level 1
In response to Tarik Admani

‎07-15-2012 11:23 AM

Thanks again, one last (I promise!) clarification!

The incremetal backups take place daily, but a purge will only happen when data gets too old or the database gets too big, yes?

(IE, if I backup daily, I can still expect to report on logs that are a week old)

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to Paul Masterton

‎07-15-2012 11:28 AM

No problem, if you configure database purging with incremental backup, the purging should occur at the same time in order to avoid the database getting to a point where it gets too large.

Here is the user guide for reference:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/viewer_sys_ops.html#wp1068157

Thanks,

Tarik Admani

-Please remember to rate helpful posts!-

0 Helpful

Go to solution
Paul Masterton
Level 1
Level 1
In response to Tarik Admani

‎07-16-2012 11:13 AM

Many thanks!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents