|
|
Monitoring Center for Security (Security Monitor) receives data from a variety of devices and stores that data in a database on the local disk. Security Monitor captures and stores data flowing into its receiver process at high rates (approximately 50 IDS events per second) for a sustained period or at even higher rates (up to 500 IDS events per second) for periods up to five minutes. Over time, receiving events at either rate can create performance issues because both disk space requirements and query time increase with the amount of data stored.
Security Monitor provides several tools to prevent performance problems by keeping the database size manageable. In particular, three default database rules are installed with Security Monitor for maintaining the size of three database tables. These default rules are configured to:
Although the default database rules provide for a majority of your database maintenance needs, you should perform some other configuration tasks when you first install Security Monitor to keep the database size and disk usage at optimal levels.
After you have configured and are using Security Monitor, you should periodically monitor the following:
Refer to the following sections for specific steps for configuring and monitoring the Security Monitor database environment:
Immediately after installing Security Monitor, you should do the following:
Data is archived by the default database rules before it is removed from the database. When data is archived, Security Monitor creates a directory structure that contains the archived data files at the specified root directory location. The first thing you should do after installing Security Monitor is to redirect these archive files away from the database disk by changing the root directory location.
To change the root directory location for the default rules, follow these steps:
The Database Rules table appears.
Step 2 Select the Default Pruning rule and click Edit.
Step 3 Click Next.
The Choose the Actions page appears.
The archive directory is specified in the Arguments list under Execute a Script. After installation, the argument contents look something like this:
This string specifies the root directory location where the archived files are stored.
Step 4 To redirect the archive files to another location (for example, d:\ArchiveData), change the argument string to the following:
 |
Note After installation, the root directory always points to the same disk where the database files are located. You must redirect the files away from this disk. You can specify a mounted network drive to redirect the archive files to a different computer. |
Step 5 Click Finish.
Step 6 Repeat the procedure from Step 2 for the other default rules:
The VMS/Security Management Solution backup copies the databases and select files of the installed management and monitoring centers to a time-stamped directory, which is located on the installation disk by default. Regularly scheduled backups can quickly consume a large amount of disk space, adversely affecting the performance of the installed management and monitoring centers. You can prevent this problem by moving the default location of the backups to a separate local disk or to a mounted network drive.
To move the default destination for the backups, follow these steps:
The Administrative Preferences page appears.
Step 2 Type a new path in the Backup Directory field. You should point the path to another local disk or to a mounted network drive.
Step 3 Click Apply.
A confirmation dialog appears.
Step 4 Click Yes to confirm the change, then click OK to return to the Administrative Preferences page.
When you delete data from Event Viewer in Security Monitor, the records are marked for deletion. To remove those records from the database, you need to create a database rule that executes once daily to delete records that are marked for deletion.
To create a database rule, follow these steps:
Step 2 Click Add.
Step 3 Enter a name for the rule in the Rule Name field. You can enter a description of the rule in the Comment field.
Step 4 Select the Daily Beginning check box and enter the time that you want the rule to execute.
Step 5 Click Next.
The Choose the Actions page appears.
Step 6 On the Choose the Actions page, select the Execute a Script check box, and then select PruneMarkedForDeletion.pl from the dropdown list.
Step 7 Click Finish.
While Security Monitor is running you should periodically monitor the system for four things:
Devices sending information to Security Monitor must be configured properly so that they do not spew unwanted messages at the Security Monitor receiver and overload it with data. Flow rates for the various devices are measured continually and are available for viewing in the 24 Hour Metrics report.
Each row in the 24 Hour Metrics report represents a 15-minute interval of the 24-hour period. Each row lists two measurements for each type of event:
Look for any measurements that are too high. Security Monitor can handle a sustained rate of approximately 50 IDS events per second, or 45,000 in 15 minutes. For syslog events, system performance starts to suffer when syslog events approach 25 messages per second, or about 22,500 messages in 15 minutes.
If you find measurements that exceed those rates, you should determine the cause and correct the situation. This situation may indicate that one or more devices need to be configured differently to reduce the amount of events that are being sent.
To run the 24 Hour Metrics report, follow these steps:
Step 2 Select IDS Alarms from the Report Group list.
Step 3 Click 2 at the bottom of the list to go to the second page.
Step 4 Select the 24 Hour Metrics Report radio button, and then click Select.
Step 5 Click Finish to run the report.
Step 6 Click OK to close the notification page.
Step 7 Select IDS Alarms from the Report Group list.
The report appears in the list. You may need to refresh the page a few times for the report to appear.
Step 8 To see the report, select it from the list and click View.
Security Monitor uses log files for error messages and state information, and for temporary data storage. Because log files reside on the same disk as the database, you must monitor their size and periodically move them off the system or delete them to ensure that the database has enough space to operate.
There are two types of log files: CiscoWorks Server log files and IDS log files. Because Security Monitor provides no method for monitoring IDS log file sizes from the GUI, you need to monitor their sizes by accessing them through the file system. IDS log files are located in the ~CSCOpx/log directory and all begin with the prefix "IDS_". Any IDS log file larger than 50,000 bytes should be deleted or moved away from the database disk.
To monitor the size of and manage the CiscoWorks Server log files, follow these steps:
The Log File Status page displays a list of the CiscoWorks Server log files, the sizes of the log files, and the percentage of the database disk being used. The sizes of any of the log files that have grown larger than their recommended maximum size are shown in red. You may need to delete or move them to another computer.
|
Note Both CiscoWorks Server and IDS log files are located in the ~CSCOpx/log directory. |
Step 2 To refresh the display, click Update.
Step 3 To move or delete the CiscoWorks Server log files, follow these steps:
a. Close all browser windows that are accessing CiscoWorks.
b. Stop the CiscoWorks Daemon Manager service on the Security Monitor server (either through the Windows Service panel or by using "net stop" from the command line). This will stop several associated processes and may take a few minutes.
c. If you are deleting or moving Syslog.log, you must also stop the CWCS syslog service.
d. Copy the files you want to move to another drive. You may specify a mapped network drive to move them to another computer.
f. Restart the CWCS syslog service if you stopped it.
g. Restart the CiscoWorks Daemon Manager. The Daemon Manager service may take a few minutes to start.
You can monitor the disk utilization from the Log File Status page. The File System Utilization column indicates the percentage of the database disk that is being used. The actual percentage of disk that can be used without causing system degradation depends, of course, on the available resources. This number should not exceed 80% because the database will need extra space during operation to maintain its transaction log.
The Security Monitor database is stored in two files that are located in the ~CSCOpx\MDC\Sybase\Db\IDS subdirectory: idsmdc.db and idsmdc.log. During normal operation, the size of the idsmdc.db file is never reduced. When records are pruned from the database tables, space is made available in the file for additional data, but the file does not become smaller. If the default pruning rules are in place and pruning is occurring, you do not need to reduce the size of the database files. However, in some situations (as, for example, when the default rules are deleted or if the IDS_dbAdminAnalyzer daemon is stopped), these files may grow large, and you will have to reduce their size. The database compact utility provides this function. You will want to run this utility if the idsmdc.db and idsmdc.log files combined exceed your available resources. You can find instructions for running the utility at http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/mon_sec/sec mon12/ug/ch07.htm#1824.
Under normal operation, when events are flowing into Security Monitor and the default database rules are in place, the system prunes excess data (the oldest data) automatically. When the pruning occurs depends upon the number of events that have been received and the sizes of the syslog, IDS events, and audit log tables. Whenever the pruning utility runs, it logs a message to the audit log table at the start of the process and again when it is completed. You should check the audit log for these pruning messages to be sure that data is being pruned from the database as expected. For example, check to see if the pruning process is started but not completed. Follow these steps to run the Pruning subsystem report:
Step 2 Select Audit Log from the Report Group list.
Step 3 Select the Subsystem Report radio button and click Select.
Step 4 Click Select All next to Event Severity, select IDS_Database Prune from the Subsystem list, and then click Next.
Step 5 Click Finish to run the report.
Step 6 Select Audit Log from the Report Group list.
The report appears in the list. You may need to refresh the page a few times before the report appears.
Step 7 Select the report and click View.
The pruning report lists a message including a timestamp each time the pruning process started and completed. If you think that the database should have been pruned but the process did not run, check the following:
IDS_DbAdminAnalyzer process determines that the trigger condition has been met. If it is not running, the rule will not execute. You can stop and restart processes from the CiscoWorks Server Desktop. Select Server Configuration > Administration > Process Management. From there you can view the status of the processes, stop the processes, or start stopped processes.
The IDS_Notifier runs the specified script which attempts to run the pruning utility; if it is not running the script is not executed.
Only one instance of the pruning utility can run at a time, so if someone started the utility from the command line to perform another task—for example, archiving data—the rule would attempt to execute but the pruning would not run. Make sure that no other instances of the pruning utility are running.
Cisco provides several ways to obtain documentation, technical assistance, and other technical resources. These sections explain how to obtain technical information from Cisco Systems.
You can access the most current Cisco documentation on the World Wide Web at this URL:
http://www.cisco.com/univercd/home/home.htm
You can access the Cisco website at this URL:
International Cisco websites can be accessed from this URL:
http://www.cisco.com/public/countries_languages.shtml
Cisco documentation and additional literature are available in a Cisco Documentation CD-ROM package, which may have shipped with your product. The Documentation CD-ROM is updated regularly and may be more current than printed documentation. The CD-ROM package is available as a single unit or through an annual or quarterly subscription.
Registered Cisco.com users can order a single Documentation CD-ROM (product number DOC-CONDOCCD=) through the Cisco Ordering tool:
http://www.cisco.com/en/US/partner/ordering/ordering_place_order_ordering_t ool_launch.html
All users can order annual or quarterly subscriptions through the online Subscription Store:
http://www.cisco.com/go/subscription
You can find instructions for ordering documentation at this URL:
http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm
You can order Cisco documentation in these ways:
http://www.cisco.com/en/US/partner/ordering/index.shtml
You can submit comments electronically on Cisco.com. On the Cisco Documentation home page, click Feedback at the top of the page.
You can send your comments in e-mail to bug-doc@cisco.com.
You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address:
Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883
For all customers, partners, resellers, and distributors who hold valid Cisco service contracts, the Cisco Technical Assistance Center (TAC) provides 24-hour, award-winning technical support services, online and over the phone. Cisco.com features the Cisco TAC website as an online starting point for technical assistance.
The Cisco TAC website (http://www.cisco.com/tac ) provides online documents and tools for troubleshooting and resolving technical issues with Cisco products and technologies. The Cisco TAC website is available 24 hours a day, 365 days a year.
Accessing all the tools on the Cisco TAC website requires a Cisco.com user ID and password. If you have a valid service contract but do not have a login ID or password, register at this URL:
http://tools.cisco.com/RPF/register/register.do
The online TAC Case Open Tool (http://www.cisco.com/tac/caseopen ) is the fastest way to open P3 and P4 cases. (Your network is minimally impaired or you require product information). After you describe your situation, the TAC Case Open Tool automatically recommends resources for an immediate solution. If your issue is not resolved using these recommendations, your case will be assigned to a Cisco TAC engineer.
For P1 or P2 cases (your production network is down or severely degraded) or if you do not have Internet access, contact Cisco TAC by telephone. Cisco TAC engineers are assigned immediately to P1 and P2 cases to help keep your business operations running smoothly.
To open a case by telephone, use one of the following numbers:
Asia-Pacific: +61 2 8446 7411 (Australia: 1 800 805 227)
EMEA: +32 2 704 55 55
USA: 1 800 553-2447
For a complete listing of Cisco TAC contacts, go to this URL:
http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
To ensure that all cases are reported in a standard format, Cisco has established case priority definitions.
Priority 1 (P1)—Your network is "down" or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.
Priority 2 (P2)—Operation of an existing network is severely degraded, or significant aspects of your business operation are negatively affected by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.
Priority 3 (P3)—Operational performance of your network is impaired, but most business operations remain functional. You and Cisco will commit resources during normal business hours to restore service to satisfactory levels.
Priority 4 (P4)—You require information or assistance with Cisco product capabilities, installation, or configuration. There is little or no effect on your business operations.
Information about Cisco products, technologies, and network solutions is available from various online and printed sources.
http://www.cisco.com/en/US/products/products_catalog_links_launch.html
http://www.cisco.com/go/packet
http://www.cisco.com/go/iqmagazine
http://www.cisco.com/en/US/about/ac123/ac147/about_cisco_the_internet_ protocol_journal.html
http://www.cisco.com/en/US/learning/index.html
Copyright © 2003, Cisco Systems, Inc. All rights reserved.
Posted: Wed Oct 15 18:46:00 PDT 2003
All contents are Copyright © 1992--2003 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.