Advertisement
Configuring and Performing Appliance Data Backups
system (NFS) protocol. While you cannot schedule when the data backup occurs, the MARS Appliance
performs a configuration backup every morning at 2:00 a.m. and events are archived every hour. The
configuration backup can take several hours to complete.
When archiving is enabled, dynamic data is written twice: once to the local database and once to the NFS
archive. As such, the dynamic data that is archived includes only the data that is received or generated
after you enable the data archive setting. Therefore, we recommend that you enable archiving before
configuring your appliance to receive audit events from reporting devices.
You can use the same NFS server to archive the data for more than one MARS Appliance; however, you
must specify a unique directory in the NFS path for each appliance that you want archive. If you use the
same base directory, the appliances overwrite each others' data, effectively corrupting the images.
For the complete list of supported NFS servers, see:
Note
http://www.cisco.com/en/US/products/ps6241/products_device_support_table09186a0080467232.ht
•
ml
Each MARS Appliance seamlessly archives data using an expiration date that you specify. When the
MARS internal storage reaches capacity, it automatically purges the data in the oldest partition of the
local database, roughly 10% of the stored event and session data. The data in the NFS file share has a
life span specified in days. Therefore, to keep a year's worth of data, you would specify 365 days as the
value for the Remote Storage Capacity (in Days) field. All data older than 365 days is purged from the
archive file.
When planning for space requirements, use the following guidance: Estimate 6 GB of storage space for
one year's worth of data, received at a sustained 10 events/second. This estimate assumes an average of
200 Bytes/event and a compression factor of 10, both realistic mean values. In addition to capacity
planning, plan the placement of your NFS server to ensure a reliable network connection that can
transmit 10 MB/second exists between the NFS server and the MARS Appliance. You should consider
using the eth1 interface to avoid high-traffic networks that might introduce latency and to ensure that the
backup operation is not competing with other operations in the MARS Appliance. Also, define a default
route to the NFS server on the MARS Appliance and that you verify any intermediate routers and
firewalls allow for multi-hour NFS connections to prevent session timeouts during the backup operation.
Data archiving is local to a given appliance. When you configure data archiving on a Global Controller,
Note
you are archiving the data for that appliance; you cannot configure the Global Controller to archive data
from Local Controllers that it monitors.
For more information on the uses and format of the archived data, see the following topics:
Typical Uses of the Archived Data, page 6-21
•
Format of the Archive Share Files, page 6-21
•
Archive Intervals By Data Type, page 6-23
•
Guidelines for Restoring, page 6-40
•
pnrestore, page A-43
•
To configure data archiving, you must perform the following procedures:
Configure the NFS server:
1.
–
Install and Setup Guide for Cisco Security MARS
6-20
Configure the NFS Server on Windows, page 6-24
Chapter 6
Administering the MARS Appliance
OL-14672-01
Advertisement
Chapters
Troubleshooting
