Table of Contents
Maintaining Security MonitorConfiguring the Communications Settings
Maintaining the Database
About Executing a Script from a Database Rule or Event Rule
Adding a Database Rule
Viewing Database Rule Details
Editing a Database Rule
Deleting a Database Rule
Importing Alarm Data
About the IdsImportIdiom Utility
About the IdsImportArchivedData Utility
Stopping and Starting the IDS_Receiver Service
Using the Import Utilities
Backing Up the Database
Restoring the Database
Maintaining Security Monitor
This section describes how to maintain your Security Monitor server. Security Monitor server maintenance falls into the following categories:
- Communication—Settings for the e-mail server used by Security Monitor for notifications and the protocol settings used by Security Monitor to communicate with monitored devices.
- Database—Procedures for maintaining your database, including backup and restore and database size management.
- Signatures—Procedure for keeping IDS signatures and Network Security Database current.
Refer to the following topics for more information about maintaining your Security Monitor server:
Configuring the Communications Settings
You can set the following default communication settings:
- Specify E-mail Server—Specifies the e-mail server that Security Monitor uses for event notifications.
- Specify Postoffice Settings—Specifies the settings used to establish the communication infrastructure for Security Monitor and the IDS device.
- Specify SYSLOG Settings—Specifies the port that Security Monitor uses to monitor syslog messages. You can also specify the port to which syslog messages are forwarded.
Refer to the following topics for more information about configuring the communication settings:
Specifying an E-mail Server
You can specify the default e-mail server that Security Monitor uses for event notifications.
To specify e-mail server settings, follow these steps:
Step 1 Select Admin > System Configuration.
Step 2 Select E-mail Server from the TOC.
The E-mail Server page appears.
Step 3 Enter your e-mail server in the Server Name field. You can enter either an IP address or a domain name.
Step 4 To save your changes, click Apply.
The e-mail server you specify will be used to send event notifications.
Defining Postoffice Settings
The postoffice settings are used to establish the communication infrastructure for Security Monitor and the IDS device.
 |
Caution Any changes you make to the local postoffice settings are applied to the postoffice service running on the server. Therefore, the changes you make affect all applications using the postoffice service on that server. |
To define postoffice settings, follow these steps:
Step 1 Select Admin > System Configuration.
Step 2 Select Postoffice Settings from the TOC.
The Postoffice Settings page appears.
Step 3 To define postoffice settings, enter values in the following fields:
Step 4 To save your changes, click Apply.
The properties are used to establish communication between Security Monitor and the IDS device(s).
Syslog Settings
The options shown on the SYSLOG Settings page depend upon the platform your Security Monitor is running on. This is because Security Monitor for Windows and Security Monitor for Solaris differ in how they handle syslog messages:
- Security Monitor for Windows contains a syslog message receiver. You can configure the listening port and syslog message forwarding for that receiver using the web-based interface.
- Security Monitor for Solaris uses the Solaris syslog daemon to receive syslog messages. You need to use a command line utility to configure the syslog settings.
If you are unsure about the type of server you are using, simply look at the SYSLOG Settings page. The SYSLOG Settings page on Security Monitor for Windows contains editable fields. The SYSLOG Settings page on Security Monitor for Solaris does not; it contains the message "Use the utility /opt/CSCOpx/MDC/bin/ids/RxSyslogConf for syslog settings in solaris."
To configure the syslog setting for your particular platform, refer to the applicable topic:
Configuring Syslog Settings on a Windows Server
The SYSLOG Settings page contains options for changing the listening port of the syslog message receiver. It also contains the options for forwarding syslog messages.
Figure 7-1 Syslog Settings
For more information about configuring syslog options, refer to the following topics:
Changing the Syslog Listening Port
By default, Security Monitor uses UDP port 514 for monitoring syslog messages.
You can change the default listening port to avoid conflicts with other syslog monitoring software that may be installed on the server. After you change the listening port, verify that any devices already configured to forward syslog messages to Security Monitor are using the correct port.
 |
Note Security Monitor does not support TCP-based syslog monitoring. |
To change the syslog listening port, follow these steps:
Step 1 Select Admin > System Configuration.
Step 2 Select SYSLOG Settings from the TOC.
The SYSLOG Settings page appears.
Step 3 Enter the port number in the Listen on UDP Port field.
Step 4 To save your changes, click Apply.
Security Monitor uses the UDP port you specified to monitor syslog messages.
Forwarding SYSLOG Messages
Security Monitor can forward syslog messages to another port on the same server or to another syslog server.
To forward syslog messages, follow these steps:
Step 1 Select Admin > System Configuration.
Step 2 Select SYSLOG Settings from the TOC.
The SYSLOG Settings page appears.
Step 3 Select the Forward Syslog Messages check box.
Step 4 Enter the hostname or IP address of the target syslog server in the IP Address/Host Name field.
|
Note If a hostname is entered, it must resolve to an IP address when you apply the changes. If it does not, the system prompts you to correct the information. During syslog message forwarding, if the hostname cannot be resolved, an error message is logged in the Audit Log. |
If you want to forward the syslog messages to another port on the same server, enter localhost in the IP Address/Host Name field.
Step 5 Enter the target UDP port number in the Port field.
Step 6 To save your changes, click Apply.
All syslog messages are forwarded to the specified syslog server.
Configuring Syslog Settings on a Solaris Server
Security Monitor uses the syslog daemon, syslogd, on Solaris to collect syslog messages. These messages are then recorded in a syslog message file. Security Monitor then reads the events from the message file.
You cannot use Security Monitor for Solaris to change the syslog listening port number (port 514) or to forward syslog messages. However, you can change the syslog message file used by syslogd and Security Monitor, and you can manage the size of the message file by manually pruning the syslog messages from the file.
|
Note The Solaris syslog daemon can forward syslog messages to remote hosts. To learn how to forward syslog messages on a Solaris server, refer to your Solaris syslogd documentation. You cannot change the syslog listening port on the supported Solaris servers. |
You cannot configure these settings through the web interface. You must use the command-line utility RxSyslogConf to manage your syslog settings. Refer to the following topics to learn more about using RxSyslogConf to manage your syslog message file:
Changing the Syslog Message File
You can use the RxSyslogConf utility to change the syslog message file used by syslogd and Security Monitor. By default, syslog messages are saved to and read from the /var/log/syslog_receiver.log file. You use a different file at a different location, such as another drive, if you need to free some drive space.
When you change the syslog message file, you are actually pointing syslogd and Security Monitor to a different file (and creating that file if it does not already exist). The old syslog message file remains, and contains the syslog data previously received.
|
Note When you change the syslog message file, syslog services are temporarily disabled. |
To change the syslog message file, follow these steps:
Step 1 Open a command prompt on the server.
Step 2 Log in as root.
Step 3 Enter RxSyslogConf -c</path/filename>, where </path/filename> is the full path and filename of the new message file. There is no space between the -c and the path and filename. For example: RxSyslogConf -c/my_logs/syslogs/my_syslogs.log
When the command has finished, the message "syslog service starting appears". All incoming syslog messages are stored in and read from the new message file.
Pruning the Syslog Message File
Security Monitor automatically prunes your syslog message file whenever it reaches 16 MB. However, you may need to manually prune the file to temporarily free some disk space.
|
Note When you prune the syslog message file, syslog services are temporarily disabled. |
To manually prune the syslog log file, follow these steps:
Step 1 Open a command prompt on the server.
Step 2 Log in as root.
Step 3 Enter RxSyslogConf -p.
When the command has finished, the message "syslog service starting" appears. All syslog messages are removed from the message file.
About the RxSyslogConf Utility
The RxSyslogConf utility is used to manipulate the syslog message file. You can use the utility to change the syslog message file used by syslogd and Security Monitor, or you can use it to manually remove all syslog messages from the file. This utility is located in the /opt/CSCOpx/MDC/bin/ids/ directory.
You need root permissions to run the RxSyslogConf utility.
Maintaining the Database
Using Database Rules, you can manage the size of your database. Managing the size of the database maintains system performance. You can also view space allocation and event rates, create regular backups of the database, either on-demand or scheduled, and restore the backups if you need to recover system data.
Refer to the following topics for more information:
Using Database Rules
When the Security Monitor database becomes large, system performance may begin to degrade. How large the database can become depends upon many factors, including system specifications and the number and types of applications running on the system. Using database rules, you can automatically manage the size of your database, send notifications, log a console notification event, or execute a script when specific thresholds or intervals are met. Examples of database thresholds include if the database exceeds a certain size or if the database receives more than a defined number of events.
By managing the size of your database, you can maintain peak system performance. However, you will have to determine for your system which thresholds and intervals work for you. Security Monitor provides some default database rules that you can use as is, change, or use as a model for your own rules.
Default Database Rules
The Database Rules page contains the following three default database rules for pruning events:
- Default Alarm Pruning—When there are more than 2,000,000 events in the alerts table, the PruneDefault.pl script runs and deletes the oldest events from the table so that 1,800,000 events remain in the alerts table. This script prunes both the alerts table and the syslog table.
- Default Syslog Pruning—When there are more than 2,000,000 events in the syslog table, the PruneDefault.pl script runs and deletes the oldest events from the table so that 1,800,000 events remain in the syslog table. This script prunes both the alerts table and the syslog table.
- Default Audit Log Pruning—Runs once daily (scheduled by default for midnight) to archive and prune the audit log table; prunes the audit log table to 25,000 records; stores archives in the default archive directory (the same directory as alert pruning and syslog pruning).
 |
Tip Direct the output to a drive other than the database drive. |
You can edit and delete the default database rules, just like you can edit and delete the database rules that you manually add. For more information, see Editing a Database Rule and Deleting a Database Rule. For more information about the options you can use in the PruneDefault.pl script argument, see About Executing a Script from a Database Rule or Event Rule.
The archived data from the default database rules are saved in the X:/Program Files/CSCOpx/MDC/Sybase/Db/IDS/AlertPruneData folder, where X is the drive where Security Monitor is installed. However, you can change the default directory by editing the database rule.
Each database table is archived to a separate file. Security Monitor stores up to ten archive files. To avoid losing archived data, periodically copy the archive files to another folder.
About Executing a Script from a Database Rule or Event Rule
One of the actions you can select from the Choose the Actions page is Execute a Script. If you select Execute a Script, you must select a script from the Script File list box.
Security Monitor has the following scripts:
|
Tip All available scripts appear in the database rule wizard and the event rule wizard. However, the LegacyIf.pl script is applicable only to event rules. The remainder of the scripts should be used for database rules. |
- LegacyIf.pl—Provides an interface to the scripts. The LegacyIf.pl script executes a query against the database and outputs all matching alarms for the event filter to a temp file. It then finds the most recent alarm in the set, parses the alarm fields, and calls the Security Monitor script with the alarm field arguments.
|
Note The alarm data passed to the script is not necessarily the exact alarm that crossed the threshold due to the intervals used for threshold processing. |
|
Note Security Monitor provides local and UTC timestamps in time_t format, but this data is not available via the LegacyIf.pl script. These values are passed to the script as 0 every time. |
ScriptName "${Query}" ${MsgCount}
You can use the following options in the script argument:
-
- ScriptName (Required)—Specifies the full path to the script that you want to run. The script is a user-authored script that must be saved on the Security Monitor server. We recommend that you save it in the X:\Program Files\CSCOpx\MDC\etc\ids\scripts folder, where X is the drive where Security Monitor is installed.
- ${Query} (Required)—Specifies a time-bounded, syntactically correct SQL expression that can be used in the WHERE clause of a database query to select the set of alarms that caused the rule to trigger this time. You must surround this option in quotation marks (" ") for the script to execute correctly.
- ${MsgCount} (Required)—Specifies the number of matches that occurred in the current interval to trigger this rule.
- PruneDefault.pl—Prunes the table until the specified number of events remains. Pruning begins when the number of events in the table exceeds a defined amount. By default, the script orders the events in the table based on time and prunes the oldest events. Use as follows:
PruneDefault.pl number tablelist [-o] [-w"archive location"]
- number—Prunes the table to this number. The default is 1,800,000.
- tablelist—Specifies the type of table to be pruned. You can choose from the following table types:
- syslog—SYSLOG event table.
- alert—Alert table.
- auditlog—Audit log table.
- deploy—Deployment jobs table.
- sysconfig—System configuration table.
|
Caution Verify that the archive directory has sufficient disk space to store the archive data. If you use the PruneDefault.pl script to prune data from the database due to insufficient disk space, do not specify an archive directory on the same disk drive as the database. |
PruneByAge.pl age "tablelist" [-o] [-w"archive location"]
You can use the following options in the script argument:
- age—Specifies the number of days. The default is 20.
- tablelist—Specifies the type of table to be pruned. You can list multiple tables in a comma-delimited list. You can choose from the following table types:
- syslog—SYSLOG event table.
- alert—Alert table.
- auditlog—Audit log table.
- deploy—Deployment jobs table.
- sysconfig—System configuration table.
The default is all tables ("syslog,alert,auditlog,deploy,sysconfig").
|
Caution Verify that the archive directory has sufficient disk space to store the archive data. If you use the PruneByAge.pl script to prune data from the database due to insufficient disk space, do not specify an archive directory on the same disk drive as the database. |
PruneByDate.pl "date" "tablelist" [-o] [-w"archive location"]
You can use the following options in the script argument:
- date (Required)—Specifies the date to delete alarms on and before. The date format is "MM/DD/YYYY,HH:MM".
- tablelist—Specifies the type of table to be pruned. You can list multiple tables in a comma-delimited list. You can choose from the following table types:
- syslog—SYSLOG event table.
- alert—Alert table.
- auditlog—Audit log table.
- deploy—Deployment jobs table.
- sysconfig—System configuration table.
The default is all tables ("syslog,alert,auditlog,deploy,sysconfig").
|
Caution Verify that the archive directory has sufficient disk space to store the archive data. If you use the PruneByAge.pl script to prune data from the database due to insufficient disk space, do not specify an archive directory on the same disk drive as the database. |
PruneBySeverity.pl "severitylist" "tablelist" [-o] [-w"archive location"]
You can use the following options in the script argument:
The default is all tables ("syslog,alert,auditlog").
|
Caution Verify that the archive directory has sufficient disk space to store the archive data. If you use the PruneByAge.pl script to prune data from the database due to insufficient disk space, do not specify an archive directory on the same disk drive as the database. |
PruneMarkedForDeletion.pl "tablelist" [-o] [-w"archive location"]
You can use the following option in the script argument:
The default is all tables ("syslog,alert,auditlog").
|
Caution Verify that the archive directory has sufficient disk space to store the archive data. If you use the PruneByAge.pl script to prune data from the database due to insufficient disk space, do not specify an archive directory on the same disk drive as the database. |
PruneSpecifyCmdLine.pl -r"tablelist" [-p] [-t"date"] [-a#] [-s"severities"] [-w"dirname"] [-o]
You can use the following options in the script argument:
- -r"tablelist" (Required)—Specifies the type of table to be pruned. You can list multiple tables in a comma-delimited list. You can choose from the following table types:
- syslog—SYSLOG event table.
- alert—Alert table.
- auditlog—Audit log table.
- deploy—Deployment jobs table.
- sysconfig—System configuration table.
For example, -r"alert,syslog".
- -w"dirname" (Optional)—Outputs comma-delimited files to the specified directory. There is one file output for each table specified.
- -o (Optional)—Outputs all records to a file. No records are deleted if you select this option. You must also specify -w"dirname" for a location to save the output file.
Additionally, you can add your own custom scripts. To add a custom script, place your script file in the X:\Program Files\CSCOpx\MDC\etc\ids\scripts folder, where X is the drive where Security Monitor is installed. If you add your script to this folder, it appears in the Script File list box.
|
Caution Security Monitor cannot verify the validity of scripts or that scripts execute as expected. A poorly written custom script can potentially crash your system. |
Adding a Database Rule
When a user-defined database threshold is met or on daily intervals, Security Monitor can take an action that you define in a database rule. These actions include sending an e-mail notification, logging a console notification event, or executing a script.
To add a database rule, follow these steps:
Step 1 Select Admin > Database Rules.
The Database Rules page appears.
Step 2 Click Add.
The Specify the Trigger Conditions page appears.
Step 3 Enter a name for your database rule in the Rule Name field.
Step 4 Specify the threshold that triggers Security Monitor to take an action. You can specify one or more of the following triggers:
- To trigger an action when the database exceeds a specified size, select the Database used space greater than (megabytes) check box. Then, enter the database size, in megabytes, that will trigger the action.
- To trigger an action when the database free space is less that a specified size, select the Database freespace less than (megabytes) check box. Then, enter the database free space size, in megabytes, that will trigger the action.
- To trigger an action when the total number of IDS events in the database exceeds a specified number, select the Total IDS events check box. Then, enter the number of IDS events that will trigger the action.
- To trigger an action when the total number of syslog events in the database exceeds a specified number, select the Total SYSLOG events check box. Then, enter the number of syslog events that will trigger the action.
- To trigger an action when the total number of events in the database exceeds a specified number, select the Total events check box. Then, enter the number of events that will trigger the action.
- To trigger the action to occur daily, select the Daily beginning check box. Then, enter the date and time to start the action. The date is specified in month, day, and year format. The time is specified in hours, minutes, and seconds.
Step 5 To provide a description of the selected triggers, type a description in the Comment field.
Step 6 Click Next.
The Choose the Actions page appears.
Step 7 To send an e-mail notification when the specified threshold is met, follow these steps:
a. Select the Notify via Email check box.
b. Enter the e-mail address for the recipient in the Recipient(s) field. For multiple e-mail addresses, use a comma separated list.
Step 8 To log a console notification to the audit log when the specified threshold is met, follow these steps:
|
Tip To view the console notification messages, run the Console Notification Report on the Reports > Generate page. |
a. Select the Log a Console Notification Event check box.
b. Enter your user name in the User Name field.
Step 9 To execute a script when the specified threshold is met, follow these steps:
Step 10 After selecting all desired actions, click Finish.
Viewing Database Rule Details
This procedure provides the basic steps for viewing detail information for a database rule. You cannot edit database rules from the View Database Rule page.
To view a database rule, follow these steps:
Step 1 Select Admin Database Rules.
The Database Rules page appears.
Step 2 Click the radio button next to the database rule that you want to view.
Step 3 Click View.
The View Database Rule page appears. Detailed information about the rule appears in the View Database Rule text box.
Step 4 Click OK to return to the Database Rules page.
Editing a Database Rule
Editing a database rule is similar to creating a database rule. You edit database rules in the same manner that you create them.
To edit a database rule, follow these steps:
Step 1 Select Admin > Database Rule.
The Database Rules page appears.
Step 2 Click the radio button next to the database rule you want to edit, and then click Edit.
The Specify the Trigger Conditions page appears.
Step 3 Make any necessary changes to the fields that you want to revise. Click Next to access the Choose the Actions page to make changes.
Step 4 To save your changes, click Finish.
Deleting a Database Rule
You can delete unwanted database rules.
To delete a database rule, follow these steps:
Step 1 Select Admin > Database Rules.
The Database Rules page appears.
Step 2 Click the radio button next to the database rule that you want to delete.
Step 3 Click Delete.
 |
Warning You are not prompted to confirm the deletion. Additionally, you cannot recover a deleted database rule. |
The database rule is deleted from Security Monitor.
Exporting and Deleting Data
Security Monitor provides two utilities for exporting and deleting data from the database: the IdsAlarms utility and the IdsPruning utility. Both utilities provide similar features, but have the following differences:
- The IdsAlarms utility contains fewer options for specifying the events to archive or delete. However, it does provide more output format options than the IdsPruning utility. The IdsAlarms utility only operates on event data.
- The IdsPruning utility contains more options for specifying the events to archive. Additionally, the IdsPruning utility can operate on other information, such as the audit log data, in the database. However, the IdsPruning supports only one output option; you can only create archives using the pruning archive comma-separated-value format.
For more information about using the IdsAlarms and IdsPruning utilities, refer to the following topics:
Using the Alarm Export Utility
The Alarm Export utility (IdsAlarms.exe) is a command-line utility that provides external access to events stored in the database. You can use the Alarm Export utility to perform the following tasks:
- Read events from the database and output them to an archive file.
- Mark events for deletion from the database.
- "Unmark" events currently marked for deletion in the database.
- Delete events marked for deletion from the database.
|
Note NrLog files produced by the IdsAlarms utility do not contain event data from 4.x sensors or Security Agent MCs. You should only use this utility for 3.x and earlier sensors. |
The IdsAlarms.exe file is located in the <install_path>/CSCOpx/MDC/bin/ids folder. By default, if you run the utility without selecting any options, all network IDS events in the database are displayed on the screen.
Using the IDS Pruning Utility
The Ids Pruning utility (IdsPruning.exe) provides external command-line access to the database for pruning, and optionally archiving, events. You can use the Ids Pruning utility to perform the following tasks:
- Delete events from the database that were stored before a specified date.
- Delete events from the database that are older than a specified number of days.
- Delete events from the database that you marked for deletion in Event Viewer.
- Delete events of a specified severity from the database.
- Delete a specified number of events from the database. The oldest events are deleted.
- Archive events that you are about to delete in a comma-separated value format.
Use the IDS Pruning utility to control the database size by deleting events that you no longer need to save in the database. We recommend limiting the number of events in a database table to 3,000,000.
The IdsPruning.exe file is located in the <install_path>/CSCOpx/MDC/bin/ids folder, where X is the drive where Security Monitor is installed.
|
Importing Alarm Data
You can import alarm data into Security Monitor from a variety of sources. This allows you to import archive files from legacy applications, such as CSPM and Director, and also archive files produced by the IdsAlarms and IdsPruning export utilities. After you have imported the data into Security Monitor, you can view the data in Event Viewer and include the data in the generated reports.
You use a specific command-line utility to import each file type into Security Monitor. Table 7-1 show which import utility to use for each archive file type.
|
Before running any of the import utilities, you must stop the IDS_Receiver service. After running the import utilities, you must restart the IDS_Receiver service. The IDS_Receiver service cannot be stopped or restarted from the command line; it must be stopped and restarted from the CiscoWorks desktop. While the service is stopped, Security Monitor cannot receive any new alarm data from monitored devices.
About the ImportNrLog Utility
The ImportNrlog utility (IdsImportNrLog.exe) is a command-line utility used to import NrLog alarm data into the database. After you import the alarm data, you can use Event Viewer to view the alarm data and generate reports based on the alarm data. The idsImportNrLog.exe file is located in the <install>/CSCOpx/MDC/bin/ids folder, where <install> is the drive and directory where Security Monitor is installed.
|
Note You must stop the IDS_Receiver server before using this utility. |
|
About the IdsImportIdiom Utility
The IdsImportIdiom utility (IdsImportIdiom.exe) is a command-line utility used to import event data that is stored in IDIOM format.
|
Note You must stop the IDS_Receiver server before using this utility. |
|
About the IdsImportArchivedData Utility
The IdsImportArchivedData utility (IdsImportArchivedData.exe) is a command-line utility used to import data from archives that were produced by the IdsPrunning utility.
|
Note You must stop the IDS_Receiver server before using this utility. |
|
|
Note This example assumes that the command is being run from directory where the archives are stored. |
Stopping and Starting the IDS_Receiver Service
You need to stop the IDS_Receiver service before using the following utilities:
After running the utilities, you need to restart the service.
To stop or start the receiver service, follow these steps:
Step 1 To stop the receiver service, follow these steps:
a. Select Server Configuration > Administration > Process Management >Stop Process from the CiscoWorks desktop.
The Stop Process page appears.
Figure 7-2 Stop Process page with IDS_Receiver Selected
The IDS_Receiver service stops.
Step 2 To start the receiver service, follow these steps:
a. Select Server Configuration > Administration > Process Management >Start Process from the CiscoWorks desktop.
The IDS_Receiver service starts.
Using the Import Utilities
Importing alarm data from IDIOM and NrLog archive files allows you to view the data in Event Viewer and generate reports based on the imported data.
|
Note Because you must stop the IDS_Receiver service to import alarm data, Security Monitor cannot receive new alarm data while you perform this procedure. |
To import alarm data into Security Monitor, follow these steps:
Step 1 Stop the IDS_Receiver service.
Step 2 Open a command prompt on the Security Monitor server.
Step 3 To import alarm data, do one of the following:
- To import alarm data from an NrLog file, enter IdsImportNrLog <nrlog_file> at the prompt, where <nrlog_file> is the full path and filename of your input file.
- To import alarm data from an IDIOM file, enter IdsImportIdiom -f"<idiom_file>" at the prompt, where <idiom_file> is the full path and filename of your input file.
- To import alarm data from a pruning archive file, enter IdsImportArchivedData -r"TableList" -t"date_time" -w"directoryName" at the command prompt, where TableList is the table type being imported, -t"date_time is the date and time the archive was created, and directoryName is the path to the directory where the archive was created.
Step 4 Restart the IDS_Receiver service.
Compacting the Database
Pruning the database and deleting events from the database do not reduce the size of the database. Instead, the database reuses the space for deleted records.
To reduce the size of the database, you need to use the IdsDbCompact command-line utility. Refer to the following topics to learn how to use the IdsDbCompact utility:
About the IdsDbCompact Utility
The IdsDbCompact utility reduces the physical size of your database file by removing database entries that are marked for deletion. It does this by unloading the original database, creating a new database, and then populating the new database with the data that is not marked for removal.
|
Note The amount of space reclaimed by compacting the database depends upon the amount of events marked for deletion. Consider pruning the database before performing a database compact. |
The IdsDbCompact utility is run from the command line of the server where Security Monitor is installed. While the utility is running, CiscoWorks Server services are unavailable for use.
|
Using the IdsDbCompact Utility
You can use the IdsDbCompact utility to decrease the physical size of your database. The IdsDbCompact utility must be run from the command line of the server.
|
Note The CiscoWorks Server web interface will be unavailable to all users while this utility is running. |
- You should back up your data before performing this procedure.
- To maximize the space reclaimed by the database compact, you should prune the database before compacting it.
- Make sure that there are no
idsmdc.db.origandidsmdc.log.origfiles from a previous compact in the current database directory. The utility will not run if they are. - Make sure there are no files in the directory that you specify as the unload directory. They will be deleted when you run the utility, and the directory will be removed when the utility has finished.
To compact your database, follow these steps:
Step 1 Open a command prompt on the server.
Step 2 Shut down the CiscoWorks Daemon Manager service:
Step 3 Enter IdsDbCompact at the prompt. You can use the following options with the utility:
- -u "<dir>"—Specifies the directory the current database is unloaded to. If this directory already exists, all files within the directory are erased when the utility runs, and the directory itself is removed when the utility finishes. If this directory does not exist, the utility creates it on startup and removes it when finished.
- -r—Removes the original database after a successful compaction.
- -v—Turns on verbose output during the running of the utility.
The utility displays the selected unload directory and the new database creation directory and asks if you want to proceed with the selected settings.
Step 4 Enter y to continue.
The database compact process begins. During the compact process, a series of informational messages appear on the screen. The command prompt appears when the process is complete. If you did not use the -r option, the original database and database log files are saved with the .orig extension.
Step 5 If you did not use the -r option, you should move the original database and log files, idsmdc.db.orig and idsmdc.log.orig, to another drive or another system. Those files will consume your existing disk space and will prevent you from running this utility again until they are moved.
Step 6 Restart the Daemon Manager service:
You need to wait for the services to complete their startup routines before accessing CiscoWorks Server through the web interface.
Backing Up the Database
You should back up the database regularly so that you have a safe copy of the Security Monitor database. You can back up the database on demand, at a specific time, or at scheduled intervals. You cannot back up the database while restoring or compacting the database.
When you back up the database, the data for all CiscoWorks Common Services client applications is backed up; you cannot specify a backup for the data of a single client application, such as Security Monitor. Additionally, user account information is not saved in the backup. You must use the CiscoWorks Server utilities to back up user account information.
|
Note You can only back up the data to the server. You cannot back up the database to a client system, even if that client system is being used to connect to CiscoWorks Common Services and initiate the backup. However, after you back up the database, we recommend that you store the backup to a different computer to prevent data loss in the case of hardware failure. |
This procedure is performed from the CiscoWorks desktop, not from Security Monitor. You must log in to the CiscoWorks desktop using an account with administrative privileges.
To backup the database, follow these steps:
Step 1 Select VPN/Security Management Solution > Administration > Common Services > Backup Database from the navigation tree.
The Backup Database page appears.
Step 2 Specify the path to the directory where you want the backup stored. You can specify the backup directory in one of two ways:
Step 3 To specify that you want to send an e-mail to designated recipients each time the database is backed up, select the Email Notification check box and enter an e-mail address in the field.
|
Note If you have specified a default e-mail address on the Preferences page, that address appears in the Email Notification field by default. You can add additional recipients by separating e-mail addresses with a comma (,). |
Step 4 To specify that the database backup is performed immediately, select the Immediate check box.
Step 5 To specify a specific date and time when you want the database backup to begin, follow these steps:
a. Deselect the Immediate check box.
b. Use the scroll arrows to display the month, day, and year in the Start Date lists under Schedule, and then click each displayed value to confirm your selection.
Confirmed selections appear in blue.
c. Use the scroll arrows to display the hour and minutes in the Start Time lists under Schedule, and then click each displayed value to confirm your selection.
Confirmed selections appear in blue.
Step 6 To specify that a backup should take place at regular intervals, follow these steps:
a. Enter a value in the Repeat After field, and select Days, Hours, or Minutes from the list. You must click your list selection after using the scroll arrows for the selection to take effect.
b. To limit the number of times the database backup occurs, enter a value in the Limit Occurrences field under Frequency.
|
Note Entering 1 in both the Repeat After and Frequency fields causes the database compaction to occur only once at the scheduled date and time. |
Step 7 To back up the database according to the settings you have made, click Finish.
A message box provides the status of the database backup. If you selected the Immediate check box, the database backup begins immediately. The backup may take several minutes to complete. The backup is stored in a subdirectory named with the time and date that the backup occurred (in yyyymmddhhmmss format).
Step 8 Click OK to close the message box.
Restoring the Database
You can restore the database from an existing backup. The backup contains data from all installed CiscoWorks Common Services client applications. Because user account information is not backed up, you cannot use restore to recover deleted accounts. Additionally, license information is not restored; the license in effect when the restore is performed remains in effect after the restore.
|
Caution Restoring the database restores the data for all client applications; you cannot restore the data for a single client application, such as Security Monitor. Therefore, restoring the database resets all client application data to the state it was in when the backup was created. |
|
Note You cannot restore the database while compacting or backing up the database. |
This procedure is performed from the CiscoWorks desktop, not from Security Monitor. You must log in to the CiscoWorks desktop using an account with administrative privileges.
To restore the database, follow these steps:
Step 1 Select VPN/Security Management Solution > Administration > Common Services > Restore Database from the navigation tree.
The Restore Database page appears.
Step 2 Specify the path to the directory where the backup is stored. You can specify the directory in one of two ways:
|
Note The Backed-up Archive field displays the last backup performed. If no backups have been performed, the Backed-up Archive field is blank. |
You can also specify the backup to use. If you do not specify a specific backup, the system selects the most recent backup in the directory.
Step 3 To specify that you want to send an e-mail to designated recipients each time the database is restored, select the Email Notification check box, and enter an e-mail address in the field.
|
Note If you have specified a default e-mail address on the Preferences page, that address appears in the Email Notification field by default. You can add additional recipients by separating e-mail addresses with a comma (,). |
Step 4 Click Finish.
A message box provides the status of the database restore.
Step 5 Click OK to close the message box.
Step 6 Restart the system services:
a. Select Server Configuration > Administration > Process Management > Stop Process from the navigation tree.
The Stop Process page appears.
The Process Status page appears.
d. Select Server Configuration > Administration > Process Management > Start Process from the navigation tree.
The Start Process page appears.
The Process Status page appears.
Updating IDS Sensor Software Other than from 3.x to 4.x
Cisco Systems periodically releases updates of sensor software versions and signature release levels for its IDS Sensors (both sensor appliances and IDS modules). We recommend that you check for and perform regular updates of sensor software versions and signature release levels on sensors that you have deployed. This recommendation also applies to the server(s) where you have installed the IDS MC and Security Monitor.
|
Note This procedure applies to Version 1.1 (and later) of the IDS MC and to Version 1.1 (and later) of Security Monitor. When using the IDS MC, you can use this procedure to update the server as well as any sensors that you select. When using Security Monitor, you can use this procedure to update the server but not sensors; sensors are not (and cannot be) updated through Security Monitor. |
|
Note We strongly recommend that you download and apply all update files, in order and without exception, as they become available. To be informed of the latest update files by e-mail, you can subscribe to the Cisco IDS Active Update Notification. The subscription form is available at http://www.cisco.com/warp/public/779/largeent/it/ids_news/subscribe.html. |
|
Note We strongly discourage updating sensor software versions and signature release levels in a direct session to an individual sensor if you manage that sensor with the IDS MC. You should instead use this procedure of performing updates through the IDS MC. If you have changed the configuration of a sensor, or updated a sensor, outside of the IDS MC, we recommend that you delete that sensor from your configuration and then add it to your configuration. |
|
Note Updating sensor software in a direct session to an individual sensor instead of by performing an update through the IDS MC will result in the rejection of the SSH fingerprint for that sensor. This is because the IDS MC is not involved in a session to an individual sensor. |
To use this procedure effectively, you must understand the numbering system used for sensor software versions and signature release levels. For example:
You should also understand the update files:
- Cisco releases its periodic updates of sensor software versions and signature release levels for its IDS Sensors in the form of update files that are compressed (.zip). IDS MC works with these compressed files directly; you should not extract anything from them.
- There are two types of update files:
-
- Service pack update files—You can identify service pack update files by their names: the letters "sp" precede the version number. When these update files are applied, they change the version number of a sensor. Service pack update files contain executable code; they affect the actual micro-engine software on the sensor. They also contain signature updates.
- Signature update files—Signature update file names contain the letters "sig" before the version number. Signature update files contain newly released signatures but not executable code.
- By inspecting the name of an update file, you can identify the device type (sensor appliance or IDSM), type of update (service pack or signature), version number, and signature release level. For example, the file
IDSk9-sp-3.1-2-S23.ziphas the following characteristics:
The file IDSM-sig-3.0-5-S20.zip has the following characteristics:
Service pack update files can move major and minor version numbers. For instance, if you apply the first 3.1 service pack update to the last 3.0 version of a sensor, you will move the version number from 3.0 to 3.1.
- Signature update files do not need to be applied individually because they are cumulative. That is, a given revision level contains all the signatures from previous levels. For example, if you are using a sensor appliance operating with
3.1(3)S32and you want to update it to3.1(3)S34, you can apply the update fileIDSk9-sig-3-1-S34.zip.
Signature update files can be applied only to sensors operating with the same version number, or with the same version number plus service pack designation. For example, the signature update file IDSk9-sig-3.1-3-34.zip can be applied to a sensor operating with version 3.1(3)S32 but not to a sensor operating with version 3.1(2)S22 or 3.1(4)S34 or 3.0(3)S22.
Signature update files can be applied only to sensors that are not already operating at that file's signature revision level. For example, the signature update file IDSk9-sig-3.1-3-34.zip cannot be applied to a sensor operating with 3.1(3)S34. The reason is that this sensor is already operating at the same signature version level (S34) that the update file provides.
To use this procedure, you must have access to the server:
- You must have access to the IDS MC server if you want to update the IDS MC or a sensor.
- You must have access to the Security Monitor server if you want to update Security Monitor.
- If you have installed IDS MC and Security Monitor on the same server, you must have access to that server if you want to update the IDS MC or a sensor or Security Monitor.
To update a sensor from sensor software 3.x to sensor software 4.x, you must have physical access to that sensor so that you can re-image it.
|
Note After updating sensor software versions and signature release levels, you cannot revert to the previous version or level using the IDS MC. |
To update your sensor software version and signature release level, follow these steps:
Step 1 Determine the sensor software version and signature release level that your server is operating with. For a Security Monitor server, do not perform this step because it is not necessary. For an IDS MC server, proceed with Step a.
The Select Group page appears.
The Enter Sensor Information page appears.
d. Enter an IP address, a sensor name, a user ID, and a password as if you were adding a sensor; however, you will not complete the addition of a sensor in this step of this procedure. You will only determine the sensor software and signature version that your IDS MC server is operating with.
The Sensor Information page appears.
A scrolling list appears. This list displays all the sensor software and signature versions that your IDS MC server is operating with.
g. Click Cancel. (The purpose of performing this step is to determine the sensor software and signature versions that your IDS MC server is operating with, not to complete the process of adding a sensor.)
Step 2 Determine the sensor software version(s) and signature release level(s) that your sensors are using. For a Security Monitor server, do not perform this step because sensors are not (and cannot be) updated through Security Monitor. For an IDS MC server, proceed with Step a.
a. In the IDS MC, select Configuration > Settings.
b. Click the Object Selector handle.
c. From the Object Selector, select the sensor whose sensor software and signature version you want to determine.
The Identification page appears, and the Object bar displays the sensor you selected from the Object Selector. The sensor software and version of the sensor appear in the Version field. In this example, the version is 3.0(1)S4.
Step 3 Check the Cisco Systems Software Center to see if an update file is available. Update files are explained in detail in the introduction to this procedure. Each update file has a readme file associated with it to provide additional details.
a. If you are registered with Cisco.com, and you have logged in, and you are authorized for Cisco Secure IDS Strong Crypto software, navigate to http://www.cisco.com/pcgi-bin/tablebuild.pl/mgmt-ctr-ids; then skip to Step d in this step. Otherwise, proceed with Step b.
b. Register with Cisco.com at http://www.cisco.com and log in.
c. Navigate to http://www.cisco.com/public/sw-center/sw-cw2000.shtml and follow the link to Management Center for IDS Sensors under VPN/Security Management Solution. (The navigation path is www.cisco.com > [log in] > Technical Support > Software Center > Cisco Works Software > Management Center for IDS Sensors.)
|
Tip Use this download location for the IDS MC and Security Monitor both. |
If you are not already authorized to download Cisco Secure IDS Strong Crypto Software, you will be prompted to submit an application. The approval process typically takes a few hours.
The Software Download page appears.
Step 4 Download the update file to ~CSCOpx/mdc/etc/ids/updates on the server.
Step 5 Choose one of the following:
|
Tip If you have installed the IDS MC and Security Monitor on the same host, your Security Monitor server will be updated when you update your IDS MC server. |
Step 6 In the IDS MC, select Configuration > Updates.
Step 7 From the TOC, select Update Network IDS Signatures.
The Update Network IDS Signatures page appears, showing all the update files, if any, that have been downloaded to ~CSCOpx/mdc/etc/ids/updates on the server where you have installed the IDS MC.
Step 8 Assume for this example that your IDS MC installation contains one IDS module, as illustrated here.
Select an update file, IDSk9-sp-3.1-3-S31.zip in this example, from the Update File list, and then click Apply.
The Update Summary page appears. It states that the update file will be applied to IDS MC. That is because the update file does not apply to any devices in your IDS MC installation. (The update file begins with IDSk9, so it applies to sensor appliances, not to IDS modules, and there are no sensor appliances in your IDS MC installation.)
If that is what you want to do, skip to Step 14.
Step 9 To continue this example, assume that you have added a sensor appliance to your IDS MC installation, as illustrated here.
Select the same update file, IDSk9-sp-3.1-3-S31.zip, and then click Apply.
The Select Sensors to Update page appears. The Select Sensors to Update page displays all the sensors (in any group) that can be updated using the update file you selected, presuming that your server has established communications with them; however, you must select only devices that follow a prescribed update path. In this example, the update file applies to only one device and IDS MC 1.0 is being used, so the Select Sensors to Update page appears as a non-scrolling table. This non-scrolling table does not appear if IDS MC 1.1 is being used or if you are updating more than one sensor.
Do not select that sensor; instead, click Cancel and then continue this example with Step 10.
Step 10 Assume now that you have added three more sensors to your IDS MC installation, as illustrated here.
Select the same update file, IDSk9-sp-3.1-3-S31.zip, and then click Apply.
The Select Sensors to Update page appears as a scrolling table. There is no functional difference between the scrolling and non-scrolling forms of the Select Sensors to Update page. IDS MC 1.1 uses only the scrolling form of this table.
Recall that service pack update files must be applied individually, stepwise, and sequentially, as explained in the introduction to this procedure. Also recall that signature update files are cumulative. This means that the update file can be applied to all the sensors shown.
Step 11 As an example, select sensor20, and then click Next.
The Enter Root Password Page appears. In this example, only one sensor is being updated and IDS MC 1.0 is being used, so the Enter Root Password Page appears as a non-scrolling table. This non-scrolling table does not appear if IDS MC 1.1 is being used or if you are updating more than one sensor.
|
Note If the update file is an IDSM update file (not a sensor appliance update file), the Enter Root Password Page does not appear. |
If you are using IDS MC 1.0 and you choose to update more than one sensor, sensor20 and sensor30, for example, the Enter Root Password page appears as a scrolling table. There is no functional difference between these two forms of the Enter Root Password page.
IDS MC 1.1 uses a different form of this table.
Step 12 Enter the valid root password for each sensor. In IDS MC 1.1 (and later), enter the password a second time to confirm it.
|
Note If you are using IDS MC 1.0, click outside the Root Password field after entering the last root password. This is required for your entry to be recognized as being completed. Clicking outside the Root Password field is not necessary in IDS MC 1.1 (and later). |
|
Caution In IDS MC 1.0, when you enter root passwords in the scrolling table form of the Enter Root Password page, they will appear in clear text (unmasked). Do not allow your passwords to be observed while you are entering root passwords. Passwords are masked in IDS MC 1.1. |
|
Tip When using sensor appliances (but not IDSMs), you can specify that root passwords be stored by IDS MC. To do so, select Configuration > Settings; from the TOC that appears, select Identification. On that page, you can specify that root passwords be persistent. |
Step 13 The Update Summary page appears. This page describes the update that is about to be applied; in this example, an update is being applied to sensor20 and sensor30.
Step 14 Click Finish.
The sensors you selected, if any, are updated using the update file that you chose in Step 8 or Step 9. In addition, the server where you installed IDS MC is updated. If you have installed Security Monitor on the server where you have installed IDS MC, this procedure will update the server operations that apply to Security Monitor; more specifically, this procedure will supply Security Monitor with the names of new signatures and an NSDB reference for them; sensors are not (and cannot be) updated through Security Monitor. The update process may take several minutes, depending upon the size and complexity of your network and its traffic. However, the update process is performed by a separate thread, so the Update Network IDS Signatures page appears again almost immediately.
Step 15 Verify that the update was successful by generating a report. The update process may take several minutes, depending upon the size and complexity of your network and its traffic.
a. Select Reports > Generate, and then click the Audit Log Report radio button.
b. Select Select to generate an audit log report. Use the audit log report to verify that you successfully updated your sensors and server using the update file that you downloaded from the Software Center.
Step 16 Verify that the update was successful by displaying a table of sensors in your installation. (The update process may take several minutes, depending upon the size and complexity of your network and its traffic.) For each group of sensors, select Devices > Sensor.
The Sensor page appears. Note that sensor20 and sensor30 were successfully updated to version 3.1(3)S31 by application of the update file IDSk9-sp-3.1-3-S31.zip
You should now return to Step 10 and update sensor40 and sensor50. Then, skip Steps 17 through 21.
|
Note We strongly recommend that you download and apply all update files, in order and without exception, as they become available. |
Step 17 To update your Security Monitor server only, complete Steps 17 through 21.
In Security Monitor, select Admin > System Configuration.
Step 18 From the TOC, select Update Network IDS Signatures.
The Update Network IDS Signatures page appears, showing all the update files, if any, that have been downloaded to ~CSCOpx/mdc/etc/ids/updates on the server where you have installed Security Monitor.
Step 19 Select an update file, IDSk9-sp-3.1-3-S31.zip in this example, from the Update File list, and then click Apply.
The Update Summary page appears. It states that the update file will be applied to Security Monitor.
Step 20 Click Continue.
The server where you installed Security Monitor is updated. The update process is performed by a separate thread, so the Update Network IDS Signatures page appears again almost immediately.
Step 21 Verify that the update was successful by generating a report.
a. Select Reports > Generate, and then click the Audit Log Report radio button.
b. Select Select to generate an audit log report. Use the audit log report to verify that you successfully updated your sensors and server using the update file that you downloaded from the Software Center.