Assuming you want to be able to look thru the events and find somthing of intrest at a later date: if you have 5 or less sensors, try using the free Cisco Manager Express
If you have more than 5 sensors, you're looking for a SIM like Cisco's CS-MARS, Netforesenics, Intelitactics, etc...
You might find that IME>File>Export would work well for you. Unlike IME's embeded Event Monitoring tool's limitation of the last 999 hours, the export can export data going well beyond that. I'm not sure if Cisco has a limit to IME's data retention, or will insitiute a limit in IME. My export takes me back to what I believe is the date I installed the software, June 2008. (unix dates, BTW).
The version of IME I use is 6.2.1. Hopefully the same capability remains in future versions of IME.
thanks for the Reply ,
If i will export data from IME for December , after export would it delete from database ?
As i have exported data for December Period , But I DB size is same , and When i serach Any event from DEcember time frame , I can see events , I am actually wondering , IF after export data dont get exported then eventually My Db size is huge ?
I have performed the export multiple times and I still see 2008 data in it. So, it may not be removing anything.
If there is a size/date limit to IME's locally retained data, I do not know what it would be. Maybe someone from Cisco can address this authoritatively.
Let me discuss with one of My Supplier , Because as far as i have serached I have not fine any published document from Cisco about IME in detail
thanks for replying
Have you ever experienced , that if you close IME application it dont collect logs for that specific time interval and then When you run the appliaction , it cannot get thopse alarams from IPS ,
I hope you understand what I mean ...
MY ime stop responsing on Friday night and when on Monday Morning I try to pull report from IME , It cannot reterive Data .... What I belive It should be able to reterive it as that Data Should be stored on IPS buffers ... ??? when i try to check events from lat 72 Hurs i can see very less events from Sat and sunday date , howveer they are very low triggered alarms as compared to proviouse weekend days
what you suggest
The events processing is done by the service at the end. If the IME console is closed, the service should keep running (under normal operation).
There is a bug in IME that causes it to shutdown its service everytime you logoff from your machine, maybe this is the bug you are hitting.
Exporting the events should not delete them from the database.
Also the new IME supports upto 10 IPS devices, not just 5.
Please rate if helpful.
Thanks Haroon, It was helpful ,
So is there any way to decrease the size of Database (because I see Lot of files in the Data Folder , but i am unable to findout how they increment , Because there is not specific pattern like if one file come to that specific size , or it increment after 1 week),
Secondly , Is there any workaround to sort this stop services ... bug , When ever i close IME it dosent record data for that specific time interval.
I'm sorry but I don't think Cisco publically release any internal of the database. It would be better if you open a case for this or have someone from Cisco comment at this.
I would expect the service down issue to be solved in a future release, because it is a major pain.