Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Flushing the Cat 6000's

Is there any way to flush/purge the alarms stored in the Cat 6000's?

We tried to update the base code to 3.0(2)6, which made it alarm on 100% missed packets. We have subsequently been told that whatever bug is causing this is fixed in version 3.0(2)10. Before we upgrade though, I want to find out why the cat 6000 transmits alarms back to the director only after we log out from the director and restart openview. These alarms are dated a couple of months old and we seem to get a bit closer to present every time we log out and back in.

Is there any way of checking what alarms are on the blade and purging them?

2 REPLIES
Cisco Employee

Re: Flushing the Cat 6000's

These alarms were probably received by the director a couple of months ago and were buffered.

They are not being strored on the IDSM.

What is happening:

A couple of months ago the IDSM was sending alarms to your director, but then the director map for the IDSM filled up with more than the allowed number of alarms. WHen this happens the director will buffer the extra alarms into the /usr/nr/var/nrdirmap.buffer file (not positive on the name of the file). NOTE: This is on the director and not the IDSM.

Normally you might think that if you delete the alarms from openview then the alarms from the buffer would be read in, but infortunately that is not how it works.

Instead the director will only read the buffer file when ovw is restarted.

What does the user have to do:

1) If you want to look at all of the buffered alarms.

a) start ovw

b) wait for the alarms to be read in (a few minutes)

c) delete the alarms from the map

d) stop ovw

e) start ovw again to get the next set of alarms.

2) If you don't care about the buffered alarms, and just want the new alarms

a) stop ovw

b) cd /usr/nr/var on the director

c) remove the nrdirmap.buffer file (name may differ slightly)

d) restart ovw

e) delete any old alarms hanging around

f) wait for new alarms to come in.

How do I prevent this from happening:

By reducing the number of alarms that wind up in openview.

1) Once you've looked at an alarm, delete it from the window. Only keep the recent alarms that you are working on in the window. If you need older alarms you can print the data to file (Security>Create>Text File: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids7/unix_cfg/ops.htm#xtocid817324)

Or you can look through the director's log file.

2) Use filters to exclude false positives on your network which for many users are the majority of alarms they see on a daily basis.

3) If an alarm starts firing often then change the alarm severity to 2, this will log it on the director without filling the director's map with icons. In the case of nimda and other viruses which may send several thousand alarms a day, this may be the best method since you couldn't deal with that many individual alarms anyway.

If you notice a large number of alarms in your GUI, then check to see if a nrdirmap buffer file is being created in /usr/nr/var. If so then you will need to follow the steps that I mentioned earlier to read in those buffered alarms.

New Member

Re: Flushing the Cat 6000's

I have deleted the contents of the nrdirmap.buffer.default file, and cleared all the error.log files in that directory. This has fixed the problem and I'll know where to look next time if it reoccurs.

Big Thanks.

245
Views
0
Helpful
2
Replies
CreatePlease to create content