Re: Cisco MARS

[Jason Frisvold <frisvolj () LAFAYETTE EDU>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/17/2010 09:16 AM, Kamnab Keo wrote:
> Is anyone using Cisco MARS to do network and system monitoring?   If so,
> how are you using it (rules, reports,quires) and how is the
> performance?  We are experiencing what seems to be slow batch reports
> and queries (1 to 4 hours for a 1 day report on 1 event).  Is it normal
> for reports and queries to take this long?

We have MARS here and, to be honest, I'm looking to replace it.  From
what I understand, Cisco isn't really sure what to do with the product
and it seems to be bouncing back and forth between continuing with it
and EOL.

- From my experience with it, there is no such thing as "fast."  Every
query seems to be relatively slow as compared to more modern systems.
It really depends on the amount of information you're storing in the
system and how many fields you're matching on, but I have easily seen it
take an hour to report on a single event.  Just switching from screen to
screen tends to be rather slow as well.

MARS has been useful, just not as useful as we would have liked.  It
seems that the money for maintenance can be better spent elsewhere, at
least for us.

> Thanks,

- --
- ---------------------------
Jason Frisvold
Network Engineer
frisvolj () lafayette edu
- ---------------------------
"What I cannot create, I do not understand"
   - Richard Feynman
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.13 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkvxjb0ACgkQO80o6DJ8UvkrCgCfTmTR9v3ufRy5X6sX2Qenl/4x
w4QAnAkw3/pKdKp+zRCJ8XarViYt36qA
=f+WO
-----END PGP SIGNATURE-----