HPE Community
Operating System - HP-UX
1824724 Members
3738 Online
109674 Solutions
New Discussion юеВ

IDS-9000 Trim Alert Database

 
Glenn Mitchell_2
Frequent Advisor

тАО10-11-2005 11:48 AM

тАО10-11-2005 11:48 AM

IDS-9000 Trim Alert Database

System: HP 9000/800 L1000
OS: HP-UX 11.11
Application: HP IDS 9000 B.02.01.32 (J5083AA)

How and where do I trim the ids databases to eliminate alerts and errors that are greater than 3 months old? I have over 35,000 alerts that are displayed when I bring up the gui (/opt/ids/bin/idsgui). Dates shown go back years. I mark all alerts as тАЬreadтАЭ and delete those whose dates are greater than 3 months old. I then save the file and exit the gui. Later when I open the IDS gui, all 35,000+ alerts are again displayed as unread new alerts.
0 Kudos
Reply
4 REPLIES 4
Adisuria Wangsadinata_1
Honored Contributor

тАО10-11-2005 12:57 PM

тАО10-11-2005 12:57 PM

Re: IDS-9000 Trim Alert Database

Hi,

There's a process called 'log file rotation'. Check this document at url below about 'HP Intrusion Detection System/9000 Administrator's Guide: Software Release 2.0' :

http://docs.hp.com/en/J5083-90007/index.html

And also check the thread below :

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=725998

Hope this information can help you.

Cheers,
AW
now working, next not working ... that's unix
0 Kudos
Reply
Glenn Mitchell_2
Frequent Advisor

тАО10-12-2005 05:06 AM

тАО10-12-2005 05:06 AM

Re: IDS-9000 Trim Alert Database

The Log File Rotation does not solve my problem. I exited the ids gui and renamed the /var/opt/ids/gui/logs/alert.log file. I restarted the ids gui and noted that a new alert.log file is created. After the polling activity the System Manager view once again counts up 35000+ alerts and continues to display a message that ├в No Agent is Available├в . I select ├в Status├в and its report changes to ├в Ready├в . After reading the reports I check all as "read" and delete all but the 3 months needed - and save the results. I exit and reenter the gui and once again it counts up all 35000+ entries as before.
0 Kudos
Reply
Pierre Pasturel
Respected Contributor

тАО10-13-2005 04:16 AM

тАО10-13-2005 04:16 AM

Re: IDS-9000 Trim Alert Database

Glenn -

When performing alert file rotation, you need to rotate the alert.log file on the agent (sensor) system (i.e., /var/opt/ids/alert.log), not the GUI's local alert file.

Regardless, during a resync, the GUI will resync all alerts with a timestamp newer than the most recent alert currently displayed by the GUI. So if you have left recent alerts in the GUI, as it appears that you have, you should only see more recent alerts during a resync. If you remove *all* alerts in the GUi and then perform a resync, you will get *all* alerts in the agent's alert.log file (i.e., all 35K). See p. 49 of the V3.1 Admin Guide available on docs.hp.com.

I noticed that you are running an old version of HIDS. I would encourage you to upgrade to the latest release (V3.1 available on software.hp.com) that has significant performance improvements.

I can't remember off hand if V2.1 had problems with a resync.

Pierre


0 Kudos
Reply
Glenn Mitchell_2
Frequent Advisor

тАО10-14-2005 07:41 AM

тАО10-14-2005 07:41 AM

Re: IDS-9000 Trim Alert Database

I finally got my alerts trimmed down to a more manageable 1200+ (it was up to 43000+ by the time I got it to work under a more reasonably configured schedule). Because the system is a validated Production server, I must evaluate the software upgrade first on the Development server and then submit a ton of paperwork for the upgrade to be approved. For now I am in good shape and I thank you for your assistance.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.