I am concerning about the way to use only one MARS applience for archived logs re-activation and investigation on the same machine. Is it possible or the second applience is the only option? Why MARS can not operate with archived events on a sigle box?
When MARS does a restore for an archive, think of it like loading a ghost image on a Windows server. It restores EVERYTHING, including the configuration, event data, and even the OS (optional). So, the archive acts like a snapshot of the system at that time.
But to do that, it has to replace the current information. Thus, the reason data can't be restored on a single box, while still operating normally.
"The reason to use a separate appliance to study old data is that you must restore the period data to the appliance, and the restore re-images all configuration and event data based on the archive settings for the defined period."
And later in the same guide:
"A restore operation does not allow for incremental restores of event data only. It always performs a complete reimage of the harddrive in the target appliance."
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...