Some Questions for IDS MC?

gchui · ‎11-26-2002

1. After alert events are pruned into the fold "AlertPruneData", they will become some "txt" files. Which application can I use to read the events from these txt file?

2. For the default alarm pruning, it is stated in the document only the events in the alert table will be pruned. But after pruning, I can see some syslogxxx.txt files in the "AlertPruneData" folder. Does it mean that the events in the syslog table have been pruned too?

Thanks for your all comments

m.singer · ‎12-02-2002

You can prune alarms based on a number of different criterion such as 'alarms older than the specified number of days' or 'number of events in a table has exceeded a given limit'. Also, pruning can be done on a specified table or tables, ie you can specify the type of table to be pruned. You can choose from the table types syslog, alert, auditlog, deploy and sysconfig or you could list multiple tables (using a comma-delimited list).

'Default alarm pruning' and 'default syslog pruning' are two database rules for pruning event that by default are present in the Database Rules page. Further, It is my understanding that all pruned data goes(is archived in) the same folder. What might be happening is that the syslog messages you see were pruned from the syslog table by the 'default syslog pruning rule' and not the alerts table.

If you wish to do so, default rules too can be modified. For more information, you could take a look at the document Administering Security Monitor at the URL http://www.cisco.com/en/US/products/sw/cscowork/ps3991/products_user_guide_chapter09186a00800e4371.html