Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
614
Views
0
Helpful
2
Replies

Backup CS-MARS

juergen.bauer
Level 1
Level 1

‎12-15-2005 02:48 AM - edited ‎03-09-2019 01:21 PM

hi netpros,

played around with the backup on cs mars appliance.

I was wondering about two things:

- files are not in gzip format as mentioned in the docs. ok, i just started the backup, so maybe tomorrow the old data will be gzip format.

- directory structure differs from documentation:

on page 6-20 in the "Install and Setup Guide for Cisco Security Monitoring, Analysis, and Response System" a directory "ES" is mentioned but my filesystem looks like this:

mgmt-m04:~# l /opt/cs-mars-backup/

insgesamt 4

drwxrwxr-x 4 501 501 4096 2005-12-15 11:00 2005-12-15

mgmt-m04:~# l /opt/cs-mars-backup/2005-12-15/

insgesamt 8

drwxrwxr-x 2 501 501 4096 2005-12-15 10:52 CF

drwxrwxr-x 2 501 501 4096 2005-12-15 11:21 IN

mgmt-m04:~# l /opt/cs-mars-backup/2005-12-15/CF/

insgesamt 2784

-rw-rw-r-- 1 501 501 2844722 2005-12-15 02:02 cf_2005-12-15-02-02-08.pna

mgmt-m04:~# l /opt/cs-mars-backup/2005-12-15/IN/

insgesamt 96

-rw-rw-r-- 1 501 501 5998 2005-12-15 11:00 in-4116-412_2005-12-15-10-45-39_2005-12-15-11-00-05.pna

-rw-rw-r-- 1 501 501 3366 2005-12-15 11:10 in-4116-412_2005-12-15-10-45-39_2005-12-15-11-09-13.pna

-rw-rw-r-- 1 501 501 1407 2005-12-15 11:00 in-4116-412_2005-12-15-10-49-04_2005-12-15-10-59-16.pna

-rw-rw-r-- 1 501 501 4318 2005-12-15 11:00 in-4116-412_2005-12-15-10-50-21_2005-12-15-10-51-10.pna

-rw-rw-r-- 1 501 501 901 2005-12-15 11:01 in-4116-412_2005-12-15-10-51-23_2005-12-15-11-01-15.pna

-rw-rw-r-- 1 501 501 3590 2005-12-15 11:02 in-4116-412_2005-12-15-10-51-34_2005-12-15-10-58-57.pna

-rw-rw-r-- 1 501 501 2513 2005-12-15 11:02 in-4116-412_2005-12-15-10-52-42_2005-12-15-10-58-49.pna

-rw-rw-r-- 1 501 501 5615 2005-12-15 11:20 in-4116-412_2005-12-15-10-57-47_2005-12-15-11-20-12.pna

-rw-rw-r-- 1 501 501 606 2005-12-15 11:01 in-4116-412_2005-12-15-11-00-02_2005-12-15-11-00-02.pna

-rw-rw-r-- 1 501 501 2590 2005-12-15 11:11 in-4116-412_2005-12-15-11-00-36_2005-12-15-11-05-18.pna

-rw-rw-r-- 1 501 501 622 2005-12-15 11:04 in-4116-412_2005-12-15-11-00-40_2005-12-15-11-00-40.pna

-rw-rw-r-- 1 501 501 6543 2005-12-15 11:10 in-4116-412_2005-12-15-11-00-52_2005-12-15-11-10-02.pna

-rw-rw-r-- 1 501 501 944 2005-12-15 11:11 in-4116-412_2005-12-15-11-01-22_2005-12-15-11-11-08.pna

-rw-rw-r-- 1 501 501 3475 2005-12-15 11:11 in-4116-412_2005-12-15-11-01-34_2005-12-15-11-04-50.pna

-rw-rw-r-- 1 501 501 1781 2005-12-15 11:12 in-4116-412_2005-12-15-11-02-35_2005-12-15-11-12-06.pna

-rw-rw-r-- 1 501 501 1929 2005-12-15 11:20 in-4116-412_2005-12-15-11-08-17_2005-12-15-11-19-19.pna

-rw-rw-r-- 1 501 501 6630 2005-12-15 11:20 in-4116-412_2005-12-15-11-10-21_2005-12-15-11-11-10.pna

-rw-rw-r-- 1 501 501 814 2005-12-15 11:21 in-4116-412_2005-12-15-11-14-00_2005-12-15-11-17-26.pna

-rw-rw-r-- 1 501 501 606 2005-12-15 11:21 in-4116-412_2005-12-15-11-20-02_2005-12-15-11-20-02.pna

any idea if it is possible to just restore the config of the mars appliance without old incidents? (CF for config, IN for incidents?)

is there more documentation about the mars backup/restore system available?

best regards

juergen

Labels:
0 Helpful
2 Replies 2

pmccubbin
Level 5
Level 5

‎12-15-2005 04:45 AM

According to what I have been told it is not possible to restore the config of the MARS appliance minus the old incidents. In fact, you cannot delete incidents at all because it would corrupt the SQL database. Once a rule is created it can only be deactivated and can never be deleted. You would have to erase the MARS appliance completely and rebuild it to have old events removed.

The only documentation regarding backups is that I am aware of is on CCO.

Hope this helps answer your question.

0 Helpful

juergen.bauer
Level 1
Level 1
In response to pmccubbin

‎12-18-2005 02:04 PM

Using the pnrestore command, you can restore three types of data:

• CS-MARS OS—Restores the operating system (OS), including any upgrades that applied before the

most recent archive was performed.

• System configuration data—Restores system configuration data, such as network settings, reporting

devices, custom inspection rules, event types, reports, administrative accounts, archival settings, and

any other data that you have entered. It does not include any event data.

• Dynamic data—Restores real event data that came from reporting devices, including incidents

generated from events and cases. Performing a restore of just the configuration data results in

incomplete data required to reconstruct existing cases: all open cases reference incidents and

sessions. If this dynamic data is not restored, the cases will reference invalid incident and session

IDs. To restore cases, perform a full restore (mode 2).

To restore archived appliance data, use the pnrestore command:

pnrestore -p archive_data_nfs_path [-t start_time -m restoring_mode]

A-18

Install and Setup Guide for Cisco Security Monitoring, Analysis, and Response System

78-17019-01

Appendix A Command Reference

Commands

Syntax Description none The default behavior of this command displays the command’s usage guidelines.

-h Displays the detailed command’s usage guidelines.

-t Restores the data dated from this time. Use mm/dd/yy:hh format.

-p Name of the directory where the archived data is stored. You must identify the NFS

server by IP address, separated by a :/ and then the pathname

NFSSeverIP:/archive_path.

-m Restoring mode. Two modes are available: 1 (default) or 2. The mode determines what

type of data is restored. Table A-2 identifies what data is restored for each option.

Examples You can use the restore feature to complete different restoring tasks, such as:

• Perform a complete restore on the same CS-MARS Appliance using the archived data (including the

OS and all data). Use the pnrestore command, mode 2. For example, in the CLI menu of the

appliance, enter:

pnrestore -m 2 -p 192.168.1.1:/archive/CS_MARS1

• Archive and restore data to a different CS-MARS Appliance of the same model. From the appliance

where you want to archive the data, use the GUI to configure archiving. From the second appliance

to which you want to copy the archived data, use the pnrestore command.

For example, if you only want to copy the OS and the system configuration data, you should use

mode 1 of the restore command. For example in the CLI menu of the new appliance, enter:

pnrestore -m 1 -p NFSSeverIPOfOldBox:/archive/CS_MARS1

maybe i should just rtfm

0 Helpful
Customers Also Viewed These Support Documents