Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
335
Views
5
Helpful
3
Replies

What happens to the event at the sensor when the IDSMC is down?

Go to solution
darin.marais
Level 4
Level 4

‎12-29-2003 06:16 AM - edited ‎03-09-2019 05:59 AM

Can someone on the list perhaps point me in the right direction? I am looking for the following information.

1. I would like to find out what happens to the alarm events at a sensor in the event that the IDSMC receiver is down at the VMS 2.1 server. Are they stored on the sensor until the ids manager has recovered and then sent?

2. How many events can be stored at the sensor when the IDSMC receiver is down?

3. Is there a good Cisco doc that will describe the process and if so, what url

I apologise if this has been discuss in a previous thread. I seem to remember reading about this process sometime back but have been unable to locate the information again.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
marcabal
Cisco Employee
Cisco Employee

‎01-02-2004 12:45 PM

It depends on what version is on the sensor.

SideNote: Security Monitor (SecMon) is the VMS tool used for receiving and viewing alarms. IDS Management Center (IDS MC) is the VMS tool used for configuring the sensors. Many users will often use IDS MC to mean both IDS MC and SecMon.

With version 3.x sensors there is a process called postoffice that passes the events from the sensor to SecMon.

If SecMon (or the postoffice process on SecMon) were to go down for a period of time, the postoffice process on the sensor will store up to 1000 events in an internal queue.

If SecMon comes back on line then these 1000 events will be sent to SecMon.

If more than 1000 events are generated while SecMon is down then ONLY the first 1000 events will be queued and the most recent events will be dropped by the sensor until SecMon comes back up.

Also these 1000 events are stored in postoffice's memmory space. If the sensor is stopped or rebooted these 1000 events will be removed from memmory.

Workaround: If you believe you've lost events while SecMon is down, then there may still be a way to retrieve these events from the sensor using a manual method. You will need to have configured the sensor to ALSO log the events in log files on the sensor. Then when ever you think you may have lost events, then you will need to manually download the log files from the sensor for that time period. If I remember correctly, there is a script that can be run to then load these events into the database for viewing by SecMon.

With version 4.x sensors, the postoffice process was replaced by EventServer. The events are placed in an EventStore. When SecMon is running it will connect to EventServer and request the events. The EventServer will then access the EventStore to pull out the events and send them to SecMon.

The EventStore can hold several thousand alarms (on most sensors the EventStore is 4 Gig of harddrive space) all of which can be queried for through the EventServer.

So if SecMon goes down the events are still being written to the EventStore on the sensor. When SecMon comes back up, it merely connects to the EventServer and queries for all alarms since the time at which it went down. EventServer will then pull ALL of the alarms in the EventStore from that time forward.

The only events that may be lost would be where there were so many events that it filled the EventStore (EventStore will automatically overwrite the oldest alarms with the newest alarms when full).

Or if a user had executed "clear events" on the sensor while SecMon was down.

So in version 4.x sensors the sensor will store as many events as the EventStore will hold.

I am not aware of a doc that would spell this out for you at this time.

I know the doc writers are working on an architecture document, but I am not sure if it will get into this detail.

View solution in original post

3 Replies 3

Go to solution
marcabal
Cisco Employee
Cisco Employee

‎01-02-2004 12:45 PM

It depends on what version is on the sensor.

SideNote: Security Monitor (SecMon) is the VMS tool used for receiving and viewing alarms. IDS Management Center (IDS MC) is the VMS tool used for configuring the sensors. Many users will often use IDS MC to mean both IDS MC and SecMon.

With version 3.x sensors there is a process called postoffice that passes the events from the sensor to SecMon.

If SecMon (or the postoffice process on SecMon) were to go down for a period of time, the postoffice process on the sensor will store up to 1000 events in an internal queue.

If SecMon comes back on line then these 1000 events will be sent to SecMon.

If more than 1000 events are generated while SecMon is down then ONLY the first 1000 events will be queued and the most recent events will be dropped by the sensor until SecMon comes back up.

Also these 1000 events are stored in postoffice's memmory space. If the sensor is stopped or rebooted these 1000 events will be removed from memmory.

Workaround: If you believe you've lost events while SecMon is down, then there may still be a way to retrieve these events from the sensor using a manual method. You will need to have configured the sensor to ALSO log the events in log files on the sensor. Then when ever you think you may have lost events, then you will need to manually download the log files from the sensor for that time period. If I remember correctly, there is a script that can be run to then load these events into the database for viewing by SecMon.

With version 4.x sensors, the postoffice process was replaced by EventServer. The events are placed in an EventStore. When SecMon is running it will connect to EventServer and request the events. The EventServer will then access the EventStore to pull out the events and send them to SecMon.

The EventStore can hold several thousand alarms (on most sensors the EventStore is 4 Gig of harddrive space) all of which can be queried for through the EventServer.

So if SecMon goes down the events are still being written to the EventStore on the sensor. When SecMon comes back up, it merely connects to the EventServer and queries for all alarms since the time at which it went down. EventServer will then pull ALL of the alarms in the EventStore from that time forward.

The only events that may be lost would be where there were so many events that it filled the EventStore (EventStore will automatically overwrite the oldest alarms with the newest alarms when full).

Or if a user had executed "clear events" on the sensor while SecMon was down.

So in version 4.x sensors the sensor will store as many events as the EventStore will hold.

I am not aware of a doc that would spell this out for you at this time.

I know the doc writers are working on an architecture document, but I am not sure if it will get into this detail.

Go to solution
ben78ang
Level 1
Level 1
In response to marcabal

‎01-04-2004 05:53 PM

marcabel can u post a reply on this thread on the link to this new architecture document when its out.

Thx

Ben

0 Helpful

Go to solution
d.rehfeldt
Level 1
Level 1
In response to marcabal

‎01-26-2004 11:42 AM

Just to speak out, I would be very interested in the architecture documentation.

0 Helpful
Customers Also Viewed These Support Documents