Table Of Contents
Maintaining the Database
Configuring Database Pruning
Viewing Pruning Status Messages
Using Database Rules
Adding a Database Rule
About Executing a Script from a Database Rule
Viewing Database Rule Details
Editing a Database Rule
Deleting a Database Rule
Backing Up the Database
Restoring the Database
Specifying File Management Settings
Maintaining the Database
The Data Management options allow you to manage the size of the database and disk files generated by Monitoring Center for Security (Security Monitor). The database features enable you to configure pruning settings, view pruning status, and define database rules. The file management feature enables you to monitor the size of log files and forensics data generated by Security Monitor.
Caution 
User attempts to connect directly to the database can cause performance reductions and unexpected system behavior. It is strongly recommended that you avoid attempting to connect directly to the database. Also, do not run SQL queries against the database.
Caution It is normal for the transaction log file (idsmdc.log) to grow and shrink during system operation as database transactions are issued and committed to the database. If you are concerned about the size of idsmdc.log, you can backup the database, which commits the transactions in idsmdc.log to the database and then truncates the log file. However, you should never delete or modify the transaction log file unless specifically instructed to by TAC, as this will corrupt the database. For instructions on backing up the database, see
Backing Up the Database. For information about reducing the size of the database, see
Compacting the Database, page A-19.
This chapter contains the following topics:
•Configuring Database Pruning
•Viewing Pruning Status Messages
•Using Database Rules
•Backing Up the Database
•Restoring the Database
•Specifying File Management Settings
Configuring Database Pruning
Events are pruned from the database when the event tables exceed a specified size. The oldest event records are deleted from an event table first.
Note Several database tables permit archiving. Before archiving, you must specify the archive file location. For more information, see Redirecting Archive Files Away from the Database Disk, page 1-3.
Note IP log files are not handled by the pruning process. You can administer the size of IP log files using the File Management options. For more information, see Specifying File Management Settings.
To specify the pruning configuration, follow these steps:
Step 1 Select Admin > Data Management.
The Data Management page appears.
Step 2 Select Pruning Configuration in the TOC area.
The Pruning Configuration page appears.
Step 3 Specify pruning configurations for the following database tables. The default values are listing in Table 1-1.
•NIDS—Applies to network IDS/IPS events received from multiple sources. Events are stored in multiple tables that must be archived and pruned together. The minimum size for this table is 100,000.
•CSA—Applies to events received from Cisco Security Agents. Events are stored in three tables that must be archived and pruned together. The minimum size for this table is 100,000.
•Firewall—Applies to non-IDS events received through syslog. Events are stored in a single table that can be archived before pruning. The minimum size for this table is 100,000.
•Audit Log—Applies to audit log data. This table is shared with Management Center for IPS Sensors (IPS MC) and cannot be archived. The minimum size for this table is 100,000.
Tip Reducing the size of a large table may temporarily impact system performance because all system resources are redirected to the resizing process until it completes. Performance degradation may also occur if you set a table size to greater than 2,000,000 events.
Step 4 To apply your changes, click Apply.
Step 5 To restore the default pruning configuration, click Restore Defaults. Table 1-1 lists the default settings.
Table 1-1 Default Pruning Configuration
Table to Prune
|
Max Size
|
Allow Archiving
|
NIDS
|
2,000,000
|
Yes
|
CSA
|
1,000,000
|
Yes
|
Firewall
|
2,000,000
|
Yes
|
Audit Log
|
1,000,000
|
No
|
The table settings are restored to their default values.
Viewing Pruning Status Messages
You can view information about the database pruning status. The information includes a timestamp, a status message, and the event type.
To view the pruning status messages, follow these steps:
Step 1 Select Admin > Data Management.
The Data Management page appears.
Step 2 Select Pruning Status in the TOC area.
The Pruning Status page appears. The most recent messages appear at the bottom of the table. Click Refresh to refresh the table.
Using Database Rules
You can use database rules to send notifications, log a console notification event, or execute a script when specific thresholds or intervals are met.
Note Database rules no longer support pruning request. If you upgrade from a previous version of Security Monitor, you must delete any existing database rules that call pruning scripts.
This section contains the following topics:
•Adding a Database Rule
•Viewing Database Rule Details
•Editing a Database Rule
•Deleting a Database Rule
Adding a Database Rule
When a user-defined database threshold is met or on daily intervals, Security Monitor can take an action that you define in a database rule. These actions include sending an e-mail notification, logging a console notification event, or executing a script.
To add a database rule, follow these steps:
Step 1 Select Admin > Data Management > Database > Rules.
The Database Rules page appears.
Step 2 Click Add.
The Enter Rule Name page appears.
Step 3 Enter a name for your database rule in the Rule Name field.
Step 4 Enter a description of the rule in the Comment field.
Step 5 Click Next.
The Choose the Actions page appears. You can select more than one action on the Choose the Actions page.
Step 6 To send an e-mail notification when the specified threshold is met, follow these steps:
a. Select the Notify via Email check box.
b. Enter the e-mail address for the recipient in the Recipient(s) field. For multiple e-mail addresses, use a comma separated list.
c. Enter the subject for the message in the Subject field.
d. Enter the message body text in the Message field.
Step 7 To log a console notification to the audit log when the specified threshold is met, follow these steps:
Tip You can view console notifications in Security Monitor or generate the Console Notification Report report. For more information, see Viewing Console Notifications, page 1-7, and Chapter 1, "Defining and Viewing Reports."
a. Select the Log a Console Notification Event check box.
b. Enter your CiscoWorks user name in the User Name field.
c. Select an event level from the Severity list box.
d. Enter a message in the Message field.
Step 8 To execute a script when the specified threshold is met, follow these steps:
a. Select the Execute a Script check box.
b. Select a script from the Script File list box. For more information about scripts, see About Executing a Script from a Database Rule.
c. Enter any required arguments in the Arguments field.
Step 9 After selecting all desired actions, click Next.
The Specify the Trigger Conditions page appears.
Step 10 To specify a threshold that triggers Security Monitor to take an action, select the One or more of the following conditions are met radio button. Then, you can specify one or more of the following triggers:
•To trigger an action when the database exceeds a specified size, select the Database used space greater than (megabytes) check box. Then, enter the database size, in megabytes, that will trigger the action.
•To trigger an action when the database free space is less than a specified size, select the Database freespace less than (megabytes) check box. Then, enter the database free space size, in megabytes, that will trigger the action.
•To trigger an action when the total number of IDS events in the database exceeds a specified number, select the Total IDS events in database exceed check box. Then, enter the number of IDS events that will trigger the action.
•To trigger an action when the total number of Cisco Security Agent (CSA) events in the database exceeds a specified number, select the Total CSA events in database exceed check box. Then, enter the number of Cisco Security Agent events that will trigger the action.
•To trigger an action when the total number of firewall events in the database exceeds a specified number, select the Total Firewall events in database exceed check box. Then, enter the number of firewall events that will trigger the action.
•To trigger an action when the total number of audit log events in the database exceeds a specified number, select the Total Audit Log events in database exceed check box. Then, enter the number of audit log events that will trigger the action.
•To trigger an action when the total number of events in the database exceeds a specified number, select the Total events in database exceed check box. Then, enter the number of events that will trigger the action.
Step 11 To run the database rule at a scheduled time or at regular intervals, follow these steps:
a. Select the At Scheduled Date radio button.
b. Click the calendar icon next to the At Scheduled Date field to select a date from the built-in calendar on which you want the rule to run.
c. Specify the time that you want the rule to run in the Time field. The time is specified in hours, minutes, and seconds (hh:mm:ss). The time zone used to determine the time is to the right of the Time field.
d. To run the rule at regular intervals, select the Repeat every check box, enter the number of days, weeks, or months to repeat after, and select the corresponding option (Day(s), Week(s), or Month(s)) in the list box. You can schedule the rule to run after a certain number of days, weeks, or months.
Step 12 To run the rule now, select the Now radio button.
Step 13 Click Finish.
The database rule is added.
About Executing a Script from a Database Rule
One of the actions you can select from the Choose the Actions page is Execute a Script. If you select Execute a Script, you must select a script from the Script File list box.
Security Monitor includes the LegacyIf.pl script, which is applicable only to event rules.
You can add your own custom scripts. To add a custom script, place your script file in the X:\Program Files\CSCOpx\MDC\etc\ids\scripts folder, where X is the drive where Security Monitor is installed. If you add your script to this folder, it appears in the Script File list box.
Caution Security Monitor cannot validate scripts or their execution. A poorly written custom script can potentially crash your system.
Viewing Database Rule Details
This procedure provides the basic steps for viewing detail information for a database rule. You cannot edit database rules from the View Database Rule page.
To view a database rule, follow these steps:
Step 1 Select Admin > Data Management > Database > Rules.
The Database Rules page appears.
Step 2 Click the name of the database rule that you want to view.
The View Database Rule page appears. Detailed information about the rule appears in the Information for Database Rule table.
Editing a Database Rule
You edit database rules in the same manner that you create them.
To edit a database rule, follow these steps:
Step 1 Select Admin > Data Management > Database > Rules.
The Database Rules page appears.
Step 2 Click the radio button next to the database rule you want to edit, and then click Edit.
The Enter Rule Name page appears.
Step 3 Make any necessary changes to the fields that you want to revise. Click Next to access the Choose the Actions and Specify the Trigger Conditions pages to make changes.
Step 4 To save your changes, click Finish.
Deleting a Database Rule
You can delete unwanted database rules.
To delete a database rule, follow these steps:
Step 1 Select Admin > Data Management > Database > Rules.
The Database Rules page appears.
Step 2 Select the radio button next to the database rule that you want to delete.
Step 3 Click Delete.
Caution You are not prompted to confirm the deletion. Additionally, you cannot recover a deleted database rule.
The database rule is deleted from Security Monitor.
Backing Up the Database
You should back up the database regularly so that you have a safe copy of the Security Monitor database. You can back up the database on demand, at a specific time, or at scheduled intervals. You cannot back up the database while restoring or compacting the database.
When you back up the database, the data for all CiscoWorks Common Services client applications is backed up; you cannot specify a backup for the data of a single client application, such as Security Monitor. Additionally, user account information is not saved in the backup. You must use the CiscoWorks Server utilities to back up user account information.
Note You can only back up the data to the server. You cannot back up the database to a client system, even if that client system is being used to connect to CiscoWorks Common Services and initiate the backup. However, after you back up the database, we recommend that you store the backup on a different computer to prevent data loss in the case of hardware failure.
Before You Begin
This procedure is performed from the CiscoWorks desktop, not from Security Monitor. You must log in to the CiscoWorks desktop using an account with administrative privileges.
To backup the database, follow these steps:
Step 1 Select VPN/Security Management Solution > Administration > Common Services > Backup Database from the navigation tree.
The Backup Database page appears.
Step 2 Specify the path to the directory where you want the backup stored. You can specify the backup directory in one of two ways:
•Enter the path into the Backup Directory field. If the directory you specify does not exist, it is created for you.
•Click Select and browse to an existing directory. To change drives, enter the drive letter in the field.
Note The default backup directory path is <install_drive_and_path>/CSCOpx/MDC/backup/.
Step 3 To specify that you want to send an e-mail to designated recipients each time the database is backed up, select the Email Notification check box and enter an e-mail address in the field.
Note If you have specified a default e-mail address on the Preferences page, that address appears in the Email Notification field by default. You can add additional recipients by separating e-mail addresses with a comma.
Step 4 To specify that the database backup is performed immediately, select the Immediate check box.
Step 5 To specify a specific date and time when you want the database backup to begin, follow these steps:
Note You cannot schedule a backup while performing an immediate backup.
a. Deselect the Immediate check box.
b. Use the scroll arrows to display the month, day, and year in the Start Date lists under Schedule, and then click each displayed value to confirm your selection.
Confirmed selections appear in blue.
c. Use the scroll arrows to display the hour and minutes in the Start Time lists under Schedule, and then click each displayed value to confirm your selection.
Confirmed selections appear in blue.
Step 6 To specify that a backup should take place at regular intervals, follow these steps:
a. Enter a value in the Repeat After field, and select Days, Hours, or Minutes from the list. You must click your list selection after using the scroll arrows for the selection to take effect.
b. To limit the number of times the database backup occurs, enter a value in the Limit Occurrences field under Frequency.
Note Entering 1 in both the Repeat After and Frequency fields causes the database backup to occur only once at the scheduled date and time.
Step 7 To back up the database according to the settings you have specified, click Finish.
A message box provides the status of the database backup. If you selected the Immediate check box, the database backup begins immediately. The backup may take several minutes to complete. The backup is stored in a subdirectory named with the time and date that the backup occurred (in yyyymmddhhmmss format).
Step 8 Click OK to close the message box.
Restoring the Database
You can restore the database from an existing backup. The backup contains data from all installed CiscoWorks Common Services client applications on the server. Because user account information is not backed up, you cannot use restore to recover deleted accounts. Additionally, license information is not restored; the license in effect when the restore is performed remains in effect after the restore.
Note Restoring a backup from one server onto another server is not supported.
Caution Restoring the database restores the data for all client applications; you cannot restore the data for a single client application, such as Security Monitor. Therefore, restoring the database resets all client application data to the state it was in when the backup was created.
Note You cannot restore the database while compacting or backing up the database.
Note After restoring the database from a backup, reports in IPS MC and Security Monitor that were scheduled to run at anytime between when the database was backed up and when it was restored are rerun immediately following the restore because the job scheduler considers them overdue.
Before You Begin
This procedure is performed from the CiscoWorks desktop, not from Security Monitor. You must log in to the CiscoWorks desktop using an account with administrative privileges.
To restore the database, follow these steps:
Step 1 Select VPN/Security Management Solution > Administration > Common Services > Restore Database from the navigation tree.
The Restore Database page appears.
Step 2 Specify the path to the directory where the backup is stored. You can specify the directory in one of two ways:
•Enter the path in the Backed-up Archive field.
•Click Select and browse to the directory. To change drives, enter the drive letter in the field.
Note The Backed-up Archive field displays the last backup performed. If no backups have been performed, the Backed-up Archive field is blank.
You can also specify the backup to use. If you do not specify a specific backup, the system selects the most recent backup in the directory.
Step 3 To specify that you want to send an e-mail to designated recipients each time the database is restored, select the Email Notification check box, and enter an e-mail address in the field.
Note If you have specified a default e-mail address on the Preferences page, that address appears in the Email Notification field by default. You can add additional recipients by separating e-mail addresses with a comma.
Step 4 Click Finish.
A message box provides the status of the database restore.
Step 5 Click OK to close the message box.
Step 6 Restart the system services:
a. Select Server Configuration > Administration > Process Management > Stop Process from the navigation tree.
The Stop Process page appears.
b. Select System in the stop column.
c. Click Finish.
The Process Status page appears.
d. Select Server Configuration > Administration > Process Management > Start Process from the navigation tree.
The Start Process page appears.
e. Select System in the start column.
f. Click Finish.
The Process Status page appears.
Specifying File Management Settings
The File Management page provides you with a way to monitor the size of log files and forensics data generated by Security Monitor. You can monitor the current disk usage (data size) of files and set the maximum disk usage limits for each file type.
On the File Management page, you can view the status of the following file types:
•IDS Pruning Archive Files—Includes the archive files generated by the pruning process. The default maximum limit is 20 percent of your free disk space when you install Security Monitor.
•IP Log Archive Location—Includes the packet data that is imported from a sensor and stored on the Security Monitor server. The default maximum limit is 20 percent of your free disk space when you install Security Monitor.
•IDS Daemon Log Files—Includes the daemon log files. The default maximum limit is 13 MB.
•IDS Database Files—Includes the transaction log file for the Security Monitor database. The default maximum limit is 8 GB.
A green status icon indicates that the file size is within the allotted size limit. A red status icon indicates that the file size has exceeded the allotted size limit.
To specify the file management settings, follow these steps:
Step 1 Select Admin > Data Management > Files.
The File Management page appears.
Step 2 Enter a value in the Limit column to change the size limit for a file type.
Step 3 Click the name of a file type in the Name column to view a detailed report of the current disk space usage.
The Details Report appears in a new window.
