66-32
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 66 Viewing Events
Managing the Event Manager Service
For both the primary and extended locations, when the allocated space is 90% full, the oldest event data
is deleted from storage to make room for new data. Data is copied from the primary store to the extended
store, if you configure one, so in most cases events deleted from the primary storage continue to be
available for querying from the extended storage location, until they are rotated out of the extended
storage. (The timing of the copy from the primary to extended data store depends on a number of factors,
including the events per second (EPS) rate, the relative size of the primary store to the extended store,
and the percentage of the primary data that has already been copied to the extended store.)
You can monitor how much of the allocated space is currently being used, and the age of the oldest event,
by selecting View > Show Event Store Disk Usage in Event Viewer. The information is displayed as a
pie chart that shows the used and unused space in gigabytes (GB) for each location. There is also an
indication of the oldest event currently stored in each location.
You can use this information to help you decide whether to increase or decrease the space allocated to
each location.
Tip If you decrease the size of either location, and your new size is less than the amount of space currently
being used, the oldest events are immediately deleted until your new target size is reached.
Archiving or Backing Up and Restoring the Event Data Store
The event data store is not included with the regular Security Manager database backup. If you want to
archive or back up the event data store, whether the primary or extended location, you must do so
separately. You can restore the backups if necessary.
This procedure explains the steps required for backup and restore for the event data store.
Tip When you disable the Event Manager service, events are not written to the data store, so you will miss
any events generated during the backup or restore process.
Step 1 To back up the event data store:
a. Using the Security Manager client, select Tools > Security Manager Administration, and select
Event Management from the table of contents.
b. Determine the name of the event data store folder. The folder is shown in the Event Data Store
Location field; the default is NMSROOT\MDC\eventing\database, where NMSROOT is the
installation directory (usually C:\Program Files\CSCOpx).
If you are backing up the extended data store, the location is identified in the Extended Data Store
Location field.
c. Deselect the Enable Event Management check box to stop the Event Manager service. Click Save
to save your changes. You are prompted to verify that you want to stop the service; click Yes and
wait until you are notified that the service has stopped.
d. Outside of Security Manager, make a copy of the
NMSROOT\MDC\eventing\config\collector.properties file and the event data store folder. Place
the copy on a separate server so that the backup is available in case of hardware failure.
If you are also backing up the extended data store, make a copy of that folder as well.