Table Of Contents
Using Command-Line Utilities
Using the Alarm Export Utility
Importing Event Data
About the ImportNrLog Utility
About the IdsImportIdiom Utility
About the IdsImportArchivedData Utility
Using the Import Utilities
Stopping and Starting the IDS_Receiver Service
About the Conversion Utilities
Using the Security Monitor 1.1 to 1.2 Data Conversion Utility
Using the Security Monitor 1.2 to 2.0 Data Conversion Utility
Using the Security Monitor 2.0 to 2.1 Data Conversion Utility
Compacting the Database
About the IdsDbCompact Utility
Using the IdsDbCompact Utility
Truncating the Sybase Database .log file
Using Command-Line Utilities
Monitoring Center for Security (Security Monitor) includes several command-line utilities for working with the database and with event data.
•
Import Utilities
–IdsImportArchivedData.exe—Allows import of data archived by the pruning utility into the database.
–IdsImportIdiom.exe—Allows import of files containing Idiom and SDEE XML data into the database. Use this utility to import data from Cisco Intrusion Prevention System Sensors based on version 4.x and later sensor software and Cisco Security Agents. You can also use this utility to import data exported from Security Monitor using the Alarm Export utility (IdsAlarms.exe).
–IdsImportNrLog.exe—Allows import of files containing legacy NrLog data (from Cisco Intrusion Prevention System Sensors based on version 3.x sensor software) into the database.
•Export Utility
–IdsAlarms.exe—Allows export of Cisco Security Agent and IDS event data. Data can be exported in the following formats:
–Idiom—Cisco Security Agent data and data from Cisco Intrusion Prevention System Sensors based on version 4.0 or later sensor software.
–SDEE—Data from Cisco Intrusion Prevention System Sensors based on version 4.0 or later sensor software.
•Conversion Utilities
–IdsConvertArchive11_12.exe—Converts data output by the Security Monitor 1.1 pruning utility to data that can be imported by Security Monitor 1.2 using IdsImportArchivedData.exe.
–IdsConvertArchive12_20.exe—Converts data output by the Security Monitor 1.2 pruning utility to data that can be imported by Security Monitor 2.0 using IdsImportArchivedData.exe.
–IdsConvertArchive20_21.exe—Converts data output by the Security Monitor 2.0 pruning utility to data that can be imported by Security Monitor 2.1 using IdsImportArchivedData.exe.
•Database Compacting Utility
–IdsDbCompact—Reduces the physical size of your database by returning all empty disk space to the operating system. It does this by unloading the original database, creating a new database, and then populating the new database with the valid data from the old database.
This chapter contains the following topics:
•Using the Alarm Export Utility
•Importing Event Data
•About the Conversion Utilities
•Compacting the Database
Using the Alarm Export Utility
The Alarm Export utility (IdsAlarms.exe) is a command-line utility that provides external access to events stored in the database. You can use the Alarm Export utility to perform the following tasks:
•Read events from the database and output them to an archive file.
•Mark events for deletion from the database.
•Unmark events currently marked for deletion in the database.
Note IdsAlarms.exe is for output only.
The IdsAlarms.exe file is located in the <install_path>/CSCOpx/MDC/bin/ids folder. By default, if you run the utility without selecting any options, all network IDS events in the database are displayed on the screen in IDIOM XML format.
Note If you generate an archive file on a Windows-based server and want to open that file on a UNIX-based server, you must first run the dos2unix command from the Solaris command line. To open an archive file generated on a UNIX-based server on a Windows-based server, you must run the unix2dos command from the Solaris command line before copying the archive file to the Windows server.
Command Syntax
IdsAlarms [-f"filename"] [-l<level>] [-o<format>] [-s<"clause">]
[-a<outputType>] [-d] [-u] [-z]
Output Options
-f<"filename">
|
(Optional) Outputs data to the specified filename. By default, output goes to the screen.
Note If you specify -z, -f is ignored.
|
-z
|
(Optional) Suppresses output to allow marking for deletion without any output.
Note If you specify -z, -f is ignored.
|
-o<format>
|
(Optional) Specifies the format of the output. The following output formats are available:
•I—Specifies IDIOM XML format (default).
•s—Specifies SDEE XML format.
|
Record Deletion Options
-d
|
(Optional) Marks the event records processed by the utility for deletion from the database. The event records are not deleted from the database. Records marked for deletion are no longer seen by Event Viewer or the Alarm Export Utility.
|
-u
|
(Optional) Unmarks all event records marked for deletion in the database.
|
Record Selection Options
-l<level>
|
Specifies the minimum severity level of context data that is included in the output. You can use the following values to specify <level>:
•h—High severity.
•m—Medium severity.
•l—Low severity.
•I—Informational severity.
By default, all events are displayed.
|
-s<"clause">
|
A selection clause that is passed exactly to the database in the SQL query. See the following examples:
•<"sig_id > 1000">
•<"event_storage_time > `Jan 24, 2002'">
|
Data Type Options
-a<outputType>
|
(Optional) Specifies the type of events to be output. This option is valid only for Idiom events because that is the only format where Security Agent MC events can be output. The valid output types are:
•n—Network IDS events are output.
•c—Security Agent MC events are output.
By default, network IDS events are output.
|
Importing Event Data
You can import event data into Security Monitor from a variety of sources. This allows you to import archive files from legacy applications, such as CSPM and Director, data from Cisco Intrusion Prevention System Sensors based on version 3.x sensor software, and also archive files. After you import the data into Security Monitor, you can view the event data in Event Viewer and generate reports based on the event data.
You use a specific command-line utility to import each file type into Security Monitor. Table A-1 shows which import utility to use for each archive file type.
Table A-1 Import Utility Use
File Type
|
Description
|
Import Utility
|
IDIOM
|
IDIOM files are XML-based files that contain event data. They can be created by the following sources:
•Cisco Intrusion Prevention System sensors based on version 4.x and 5.x sensor software
•Security Agent MC servers
•The Alarm Export utility (IdsAlarms.exe)
•Security Monitor servers
|
IdsImportIdiom
|
NrLog
|
NrLog files are text files that contain event data. NrLog event data can be created by the following sources:
•postoffice devices, such as IDS Sensors based on the 3.x sensor software
•CSPM
•Director
•the Alarm Export utility (IdsAlarms.exe) when used with the -on option.
Note NrLog files produced by the Alarm Export utility do not contain event data from 4.x sensors or Security Agent MCs.
|
IdsImportNrLog
Note IdsImportNrLog is for import only.
|
Pruning Archive
|
Pruning archive files are CSV text files. They can contain the following types of data:
•NIDS (Network IDS events)
•Firewall (PIX Firewall and Firewall Service Module events)
•CSA (CSA Host IDS events
•Audit log (System events)
Note You can import audit log files upgraded from the Security Monitor 1.2 database. However, in Security Monitor 2.0 or later, you can no longer archive audit log data.
Pruning archive files are created by the Pruning Daemon (IDS_DatabasePrune)
|
IdsImportArchivedData
|
SDEE
|
SDEE files are XML-based files that contain event data. They can be created by the following sources:
•Cisco Intrusion Prevention System sensors based on version 5.x sensor software
•Security Monitor servers
|
IdsImportIdiom
|
Before running any of the import utilities, you must stop the IDS_Receiver service. After running the import utilities, you must restart the IDS_Receiver service. The IDS_Receiver service cannot be stopped or restarted from the command line; you must stop and restart it from the CiscoWorks desktop. While the service is stopped, Security Monitor cannot receive any new event data from monitored devices.
This section contains the following topics:
•About the ImportNrLog Utility
•About the IdsImportIdiom Utility
•About the IdsImportArchivedData Utility
•Using the Import Utilities
About the ImportNrLog Utility
The ImportNrlog utility (IdsImportNrLog.exe) is a command-line utility used to import NrLog event data into the database. After you import the event data, you can view the event data in Event Viewer and generate reports based on the event data. The idsImportNrLog.exe file is located in the <install>/CSCOpx/MDC/bin/ids folder, where <install> is the drive and directory where Security Monitor is installed. NrLog event data can be created by the following sources:
•postoffice devices, such as IDS Sensors based on the 3.x sensor software
•CSPM
•Director
Note You must stop the Receiver Daemon (IDS_Receiver) service before using this utility.
Command Syntax
ImportNrlog [-f"<filename>"] [-I] [-t] [-d] [-h]
Command Options
Note All command options are optional. However, you must specify either -f or -I.
-f"<filename>"
|
Specifies the file to be imported into the database. If you do not specify this option, you must specify -I.
|
-I
|
Specifies that input is read from stdin. If you do not specify this option, you must specify -f.
|
-t
|
Specifies that the event time (event_storage_time) used for the event is the original time that the event was stored in the database.
By default, event_storage_time is set to the current time that the event is imported into the database. Using the default value may cause issues when viewing events in Event Viewer because the original event time does not appear.
Tip We recommend using this option.
|
-d
|
Disables the interface to the Daemon Manager. The Daemon Manager verifies that the IDS_Receiver service has been stopped. Bypassing the check enables you to run the utility without stopping the IDS_Receiver service. However, if you select this option, and have not stopped the IDS_Receiver service, you will have problems receiving future events.
Caution We do not recommend that you use this option.
|
-h
|
Displays help for the utility.
|
About the IdsImportIdiom Utility
The IdsImportIdiom utility (IdsImportIdiom.exe) is a command-line utility used to import XML event data that is stored in IDIOM or SDEE format. After you import the event data, you can view the event data in Event Viewer and generate reports based on the event data. XML data can be generated by the following sources:
•Cisco Intrusion Prevention System Sensors based on version 4.x and 5.x sensor software
•Security Agent MC servers
•The Alarm Export utility (IdsAlarms.exe)
•Security Monitor servers
Note You must stop the Receiver Daemon (IDS_Receiver) before using this utility.
Command Syntax
IdsImportIdiom [-f"<filename>"] [-I] [-t] [-d] [-h]
Command Options
Note All command options are optional. However, you must specify either -f or -I.
-f"<filename>"
|
Specifies the file to be imported into the database. If you do not specify this option, you must specify -I.
|
-I
|
Specifies that input is read from stdin. If you do not specify this option, you must specify -f.
|
-t
|
Specifies that the event time (event_storage_time) used for the event is the original time that the event was stored in the database.
By default, event_storage_time is set to the current time that the event is imported into the database. Using the default value may cause issues when viewing events in Event Viewer because the original event time does not appear.
Tip We recommend using this option.
|
-d
|
Disables the interface to the Daemon Manager. The Daemon Manager verifies that the IDS_Receiver service has been stopped. Bypassing the check enables you to run the utility without stopping the IDS_Receiver service. However, if you select this option, and have not stopped the IDS_Receiver service, you will have problems receiving future events.
Caution We do not recommend that you use this option.
|
-h
|
Displays help for the utility.
|
About the IdsImportArchivedData Utility
The IdsImportArchivedData utility (IdsImportArchivedData.exe) is a command-line utility used to import data from archives that were produced by the Pruning Daemon (IDS_DatabasePrune).
Note You must stop the Receiver Daemon (IDS_Receiver) before using this utility.
Tip If the system is busy and the IdsImportArchivedData utility is not functioning as expected, stop the IDS_DatabasePrune Daemon and the IDS_Analyzer Daemon. Then, run the IdsImportArchivedData utility again.
Command Syntax
IdsImportArchivedData -r"TableList" -t"archiveDirectoryName"
[-w"directoryName"] [-d] [-v]
Required Options
-r "TableList"
|
Specifies the type of data to import. Multiple types of data can be listed in a comma-delimited format. You can use the following TableList values:
•nids—Applies options to the network IDS event table.
•csa—Applies options to the records in the Security Agent MC event table.
•firewall—Applies options to the Firewall event table.
For example, to import the network IDS and Firewall tables, enter -r"nids,firewall".
|
-t"archiveDirectoryName"
|
Specifies the archive directory name. The archiveDirectoryName is the Date/Time when the archive was written. It is of the form MMDDYYYY_HHmmSS. For example, the format of archiveDirectoryName should be 12122003_232751.
|
Optional Options
-w"directoryPath"
|
Specifies the location of the archive files. For example, the format of directoryPath should be <installPath>/CSCOpx/MDC/Sybase/Db/IDS/AlertPruneData.
Do not use a filename with this option. This will default to the path specified in the database for archive output.
|
-d
|
Disables the interface to the Daemon Manager service, which verifies that the IDS_Receiver service has been stopped. Bypassing the check enables you to run the utility without stopping the IDS_Receiver service. However, if you select this option, and have not stopped the IDS_Receiver service, you will encounter problems receiving future events.
Caution We do not recommend that you use this option.
|
-v
|
Specifies verbose output during command execution.
|
Using the Import Utilities
Importing event data from SDEE, IDIOM, and NrLog archive files enables you to view the data in Event Viewer and generate reports based on the imported data.
Note Because you must stop the IDS_Receiver service to import event data, Security Monitor cannot receive new event data while you perform this procedure.
To import event data into Security Monitor, follow these steps:
Step 1 Stop the IDS_Receiver service. For more information, see Stopping and Starting the IDS_Receiver Service.
Note You can stop this services through the CiscoWorks desktop interface or by using a command-line option.
Step 2 Open a command prompt on the Security Monitor server.
Step 3 To import event data, do one of the following:
•To import event data from an NrLog file, enter IdsImportNrLog [-f"<filename>"] at the prompt, where <filename> is the full path and filename of your input file.
•To import event data from an IDIOM file, enter IdsImportIdiom [-f"<filename>"] at the prompt, where <filename> is the full path and filename of your input file.
•To import event data from a pruning archive file, enter IdsImportArchivedData -r"TableList" -t"archiveDirectoryName" [-w"directoryName"] at the command prompt, where TableList is the type of data to import, archiveDirectoryName is the name of the archive directory, which includes Date/Time when the archive was written, and directoryName is the path to the directory where the archive is located.
Step 4 Restart the IDS_Receiver service.
Note You can start this service through the CiscoWorks desktop interface or by using a command-line option.
Stopping and Starting the IDS_Receiver Service
You must stop the IDS_Receiver service before using the following utilities:
•IdsImportNrLog
•IdsImportIdiom
•IdsImportArchivedData
After running the utilities, you need to restart the service.
To stop or start the receiver service, follow these steps:
Step 1 To stop the receiver service, follow these steps:
a. Select Server Configuration > Administration > Process Management >Stop Process from the CiscoWorks desktop.
The Stop Process page appears.
Figure A-1 Stop Process page with IDS_Receiver Selected
b. Select IDS_Receiver from the Process list box.
c. Click Finish.
Tip You can also stop the receiver service using the following command-line option: pdterm IDS_Receiver.
The IDS_Receiver service stops.
Step 2 To start the receiver service, follow these steps:
a. Select Server Configuration > Administration > Process Management >Start Process from the CiscoWorks desktop.
b. Select IDS_Receiver from the Process list box.
c. Click Finish.
Tip You can also start the receiver service using the following command-line option: pdexec IDS_Receiver.
The IDS_Receiver service starts.
About the Conversion Utilities
Use the conversion utility to upgrade pruning archive files so that they can be imported by a later version of Security Monitor. Security Monitor includes the following conversion utilities:
•The Security Monitor 1.1 to 1.2 Data Conversion Utility (IdsConvertArchive11_12.exe) is a command-line utility that enables you to upgrade pruning archive files from Security Monitor 1.1 to the Security Monitor 1.2 database format.
•The Security Monitor 1.2 to 2.0 Data Conversion Utility (IdsConvertArchive12_20.exe) is a command-line utility that enables you to upgrade pruning archive files from Security Monitor 1.2 to the Security Monitor 2.0 database format.
•The Security Monitor 2.0 to 2.1 Data Conversion Utility (IdsConvertArchive20_21.exe) is a command-line utility that enables you to upgrade pruning archive files from Security Monitor 2.0 to the Security Monitor 2.1 database format.
Using the Security Monitor 1.1 to 1.2 Data Conversion Utility
The Security Monitor 1.1 to 1.2 Data Conversion Utility (IdsConvertArchive11_12.exe) is a command-line utility that enables you to upgrade pruning archive files from Security Monitor 1.1 to the Security Monitor 1.2 database format. You can then import Security Monitor 1.1 data into the Security Monitor 1.2 database.
Command Syntax
IdsConvertArchive11_12 <-r"Tablelist"> <-t"date_time">
[-w"directoryName"] [-v]
Required Options
-r"TableList"
|
Applies options to the specified tables. Multiple tables can be listed in a comma-delimited format. You can use the following Tablelist values:
•syslog—Applies options to the syslog event table.
•alert—Applies options to the records in the network IDS event table.
•auditlog—Applies options to the audit log table.
For example, to apply the options to the syslog and network IDS event tables, enter -r"alert,syslog".
|
--t"MM/DD/YYYY,HH:mm"
|
Specifies the Date/Time portion of the filename to convert. For example, if the file to convert is named alert_11072002_121647.txt, the date_time should be 11072002_121647.
|
Optional Options
-w"dirname"
|
Specifies the directory where previously exported Security Monitor 1.1 data resides. Assumes current directory if none listed.
|
-v
|
Specifies verbose mode.
|
Using the Security Monitor 1.2 to 2.0 Data Conversion Utility
The Security Monitor 1.2 to 2.0 Data Conversion Utility (IdsConvertArchive12_20.exe) is a command-line utility that enables you to upgrade pruning archive files from Security Monitor 1.2 to the Security Monitor 2.0 database format. You can then import Security Monitor 1.2 data into the Security Monitor 2.0 database.
Command Syntax
IdsConvertArchive12_20 <-r"Tablelist"> <-t"date_time">
[-w"directoryName"] [-d"dbVersion"] [-v]
Required Options
-r"TableList"
|
Applies options to the specified tables. Multiple tables can be listed in a comma-delimited format. You can use the following Tablelist values:
•syslog—Applies options to the syslog event table.
•alert—Applies options to the records in the network IDS event table.
•auditlog—Applies options to the audit log table.
For example, to apply the options to the syslog and network IDS event tables, enter -r"alert,syslog".
|
-t"MM/DD/YYYY,HH:mm"
|
Specifies the Date/Time portion of the filename to convert. For example, if the file to convert is named alert_11072002_121647.txt, the date_time should be 11072002_121647.
|
Optional Options
-w"dirname"
|
Specifies the directory where previously exported Security Monitor 1.1 data resides. Assumes current directory if none listed.
The output of the Security Monitor 2.0 file is to a subdirectory of the specified data directory. The subdirectory will be named with the Date/Time MMDDYYYY_HHMMSS, which is taken from the filename.
|
-d"dbVersion"
|
Specifies the database version of the original archive file. This information is part of filename. For example, if the filename is alert_1-2-3_11072002_121647.txt, the dbVersion should be 1-2-3. The default value is 1-2.
|
-v
|
Specifies verbose mode.
|
Using the Security Monitor 2.0 to 2.1 Data Conversion Utility
The Security Monitor 2.0 to 2.1 Data Conversion Utility (IdsConvertArchive20_21.exe) is a command-line utility that enables you to upgrade pruning archive files from Security Monitor 2.0 to the Security Monitor 2.1 database format. You can then import Security Monitor 2.0 data into the Security Monitor 2.1 database.
Command Syntax
IdsConvertArchive20_21 <-r"Tablelist"> <-t"date_time">
[-w"directoryName"] [-d"dbVersion"] [-v]
Required Options
-r"TableList"
|
Applies options to the specified tables. Multiple tables can be listed in a comma-delimited format. You can use the following Tablelist values:
•syslog—Applies options to the syslog event table.
•alert—Applies options to the records in the network IDS event table.
•auditlog—Applies options to the audit log table.
For example, to apply the options to the syslog and network IDS event tables, enter -r"alert,syslog".
|
-t"MM/DD/YYYY,HH:mm"
|
Specifies the Date/Time portion of the filename to convert. For example, if the file to convert is named alert_11072002_121647.txt, the date_time should be 11072002_121647.
|
Optional Options
-w"dirname"
|
Specifies the directory where previously exported Security Monitor 2.0 data resides. Assumes current directory if none listed.
The output of the Security Monitor 2.1 file is to a subdirectory of the specified data directory. The subdirectory will be named with the Date/Time MMDDYYYY_HHMMSS, which is taken from the filename.
|
-d"dbVersion"
|
Specifies the database version of the original archive file. This information is part of filename. For example, if the filename is nids_2-0-2_03132005_115821.txt, the dbVersion should be 2-0-2. The default value is 2-0.
|
-v
|
Specifies verbose mode.
|
Compacting the Database
The current database internally marks available disk space but does not return the space to the operating system. That means a database will never get smaller. Instead, the database reuses the space for deleted records. To return unused disk space to the operating system and reduce the size of the database, you need to use the IdsDbCompact command-line utility.
You can free up additional space by truncating the Sybase Database .log file.
This section contains the following topics:
•About the IdsDbCompact Utility
•Using the IdsDbCompact Utility
•Truncating the Sybase Database .log file
About the IdsDbCompact Utility
The IdsDbCompact utility reduces the physical size of your database by returning all empty disk space to the operating system. It does this by unloading the original database, creating a new database, and then populating the new database with the valid data from the old database.
You run the IdsDbCompact utility from the command line of the Security Monitor server. You must stop the CiscoWorks2000 Server services before you run this utility. After the utility completes, restart the CiscoWorks2000 Server services.
Command Syntax
IdsDbCompact [-c "<dir>"] [-r] [-u "<dir>"] [-v]
Command Options
Note All command options are optional.
-c "dir"
|
Specifies the directory where the new database is created. You can use this option to create the new database on another drive if the original drive is low on drive space. However, after the new database has been created and populated, it is moved back to the original database location.
This option must point to an existing directory; it does not create the directory if it does not already exist.
If this option is not specified, the new database is created in the same location as the original database.
|
-r
|
Removes the original database after a successful compaction.
If this option is not specified, the original database and database log file are not removed after the compaction is performed. Instead, it they are renamed to idsmdc.db.orig and idsmdc.log.orig, respectively.
Note If the idsmdc.db.orig and idsmdc.log.orig files exist in the database directory when you attempt to run the utility, the utility will not run.
Caution Using this option is not recommended. If an error occurs during the IDSdbCompact process, the original database and database log file provide a way to restore your working system. We recommend keeping the *.orig files until you verify that the compacted database is working. You can move the *.orig files to another disk drive if space is an issue. Without the *.orig files, you must recover a back up database file or re-install Security Monitor.
|
-u "dir"
|
Specifies the directory where the current database is unloaded. Use this option to unload the original database to another drive if the current drive is low on space. When the compaction is complete, this directory and its contents are automatically removed.
This option will create the directory if the directory does not already exist.
If this option is not specified, the utility defaults to the /unload directory, which is created under the directory where the original database is stored.
|
-v
|
Specifies verbose output during command execution.
|
Examples
•To compact the database while saving a copy of the old database (as idsmdc.db.orig), enter the following command:
•To compact the database without saving a copy of the old database, enter the following command:
•To compact the database using a directory on the d: drive to unload the database, enter the following command:
IdsDbCompact.exe -u "d:\temp\unload"
Using the IdsDbCompact Utility
You can use the IdsDbCompact utility to decrease the physical size of your database. The IdsDbCompact utility must be run from the command line of the server.
Note The CiscoWorks2000 Server web interface will be unavailable to all users while this utility is running.
Before You Begin
•You should back up your data before performing this procedure.
•Make sure that there are no idsmdc.db.orig and idsmdc.log.orig files from a previous compact in the current database directory. The utility will not run if they are.
•Make sure there are no files in the directory that you specify as the unload directory. They will be deleted when you run the utility, and the directory will be removed when the utility has finished.
To compact your database, follow these steps:
Step 1 Open a command prompt on the server.
Step 2 Shut down the CiscoWorks Daemon Manager service:
•For a Windows server, enter net stop "CiscoWorks Daemon Manager" at the prompt.
•For a Solaris server, enter /etc/init.d/dmgtd stop at the prompt. After the services have stopped, you must also enter /opt/CSCOpx/MDC/bin/ids/rsema.sh to clean up unreleased semaphores.
Step 3 Enter IdsDbCompact at the prompt. You can use the following options with the utility:
•-c "dir"—Specifies the directory where the new database is created.
Note This option must point to an existing directory. The utility does not create the directory. However, after the new database has been created and populated, it is moved back to the original database location.
•-u "dir"—Specifies the directory where the current database is unloaded. If this directory already exists, all files within the directory are erased when the utility runs, and the directory itself is removed when the utility finishes. If this directory does not exist, the utility creates it on startup and removes it when finished.
•-r—Removes the original database after a successful compaction.
•-v—Turns on verbose output during the running of the utility.
The utility displays the selected unload directory and the new database creation directory and asks if you want to proceed with the selected settings.
Step 4 Enter y to continue.
The database compact process begins. During the compact process, a series of informational messages appear on the screen. The command prompt appears when the process is complete. If you did not use the -r option, the original database and database log files are saved with the .orig extension.
Step 5 If you did not use the -r option, you should move the original database and log files, idsmdc.db.orig and idsmdc.log.orig, to another drive or another system. Those files will consume your existing disk space and will prevent you from running this utility again until they are moved.
Step 6 Restart the Daemon Manager service:
•For a Windows server, enter net start "CiscoWorks Daemon Manager" at the prompt.
•For a Solaris Server, enter /etc/init.d/dmgtd start at the prompt.
You must wait for the services to complete their startup routines before accessing CiscoWorks2000 Server through the web interface.
Truncating the Sybase Database .log file
The system uses log files for temporary data storage and for error messages and state information. Because log files reside on the same disk as the database, you must monitor them; also, you must manage their size by periodically truncating them to ensure that the database has enough room to operate. This procedure describes how to truncate the Sybase database .log file.
To truncate the Sybase database .log file, follow these steps:
Step 1 Ensure that the dbServer service is running on the server where the system is running:
a. In the window containing CiscoWorks (not the window containing Management Center for IPS Sensors (IPS MC) or Security Monitor), select Server Configuration > Administration > Process Management > Process Status.
The Process Status window appears. The Process Status window shows the status of all processes, with automatic processes in alphabetical order followed by transient processes in alphabetical order.
b. In the Process Name column, look for ASANYs_SqlCoreDB, which is the name of the dbServer service.
c. In the State column, look for an indication that the dbServer service is running, such as Program started - No mgt msgs received.
Step 2 Open a command window on the server where the system is running.
Step 3 Execute the following command:
dbbackup -xo -c "uid=idsmdc;pwd=<PASSWORD>;dbn=idsmdc;eng=sqlcoredbserver;links=tcpip{dobroadcast=no;host=localhost;port=10033}"
In this command, <PASSWORD> is the system database password supplied during installation.
