As Scott Morris would say "it depends..."
I have deployed MARS in many different environments an even earned Cisco's TSS
certification in MARS / IPS. The amount of space is tied to the database size
allocated per each box - a MARS50 will hold less than a MARS 110. As for how
long it takes to fill the storage, this varies depending upong how many
devices you have configured in MARS, what types of data (netflow, syslog,
etc.) are coming in and how granular they are and finally your archiving
configuration. To see your usage:
diskusage
To display the disk space available on all partitions, use the diskusage
command.
diskusage
Syntax Description
There are no keywords, options, or arguments.
Usage Guidelines
Displays amount of disk space available on all partitions in the MARS
Appliance
For all MARS Appliance models, the Oracle database has three partitions:
�/u01: Stores the Oracle binary files.
�/u02: Stores the data files.
�/u03: Stores the replay log files, which are cached, in-memory working files
not yet committed to the data store.
If any of these partitions reaches 99% capacity, the Oracle database will
experience operational issues.
The size of the data partition (/u02) varies based on the model:
�MARS 20: 74 GB
�MARS 50: 148 GB
�MARS 100: 565 GB
�MARS 200: 795 GB
Examples
To display the disk usage for all partitions in the MARS Appliance, enter the
following command:
diskusage
The following is sample output for a MARS 100, as noted by the size of the
/u02 partition:
Filesystem Size Used Avail Use% Mounted on
/dev/sda3 20G 5.7G 13G 31% /
/dev/sda1 129M 14M 108M 12% /boot
/dev/sda5 20G 4.8G 13G 26% /opt
/dev/sda6 20G 130M 18G 1% /log
/dev/sda7 29G 134M 27G 1% /pnarchive
/dev/sda8 20G 2.7G 16G 14% /u01
/dev/sda9 9.8G 2.2G 7.2G 23% /u03
/dev/sda10 565G 15G 522G 3% /u02
none 1005M 0 1005M 0% /dev/shm
The archiving is a lot more complex. You have to figure out how much storage
you "expect" to use over a certain time for archiving. This requires a good
understanding of your environment and the policies tied to security data
retention.
http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/init
ial/configuration/bckRstrSby.html#wp1163469
Travis
> From: ezorrilla_at_tsf.com.pe
> To: security_at_groupstudy.com; ccielab_at_groupstudy.com
> Subject: Cisco MARS disk space management
> Date: Fri, 12 Mar 2010 12:57:38 -0800
>
> Hi Guys,
>
> I need your help one more time. I have a Cisco MARS and I am sending to it
> many logs. Someone could please let me know how can I see how much
information
> do I get in one day and maybe in a week ?
>
> What I need to do is: as soon as I realize how much space Cisco MARS got in
a
> week or daily from logs that come to it, we could size a machine who can
> receive logs from Cisco MARS (forwarded) so that I can save logs even for a
> month on the new server.
>
> Please, some who can tell me how can I see how much room get the logs on
the
> Cisco MARS Server, I will really appreciate,
>
> Regards
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
Received on Fri Mar 12 2010 - 14:07:31 ART