[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [ISSForum] False data and time for events



My EC always was throtting alerts, adition of another one didn't help! And
how can I solve that problem I have not find! Installation one EC per each
sensor is not a solution, because SiteProtector (SP) supports up to 5 EC.

But I suppose that the problem is in Security Fusion Module (SFM), because
before I'd installed SFM the number of events per secont was approximately
the same, but time, showed in alerts was right. Now, with SFM, alert always
has time 30-90 min behind current time!
Please, someone from ISS, tell me, am I right? Is the problem in SFM?

Thank you all.
---
Best regards, Sergey V. Soldatov
Department of information security,
TNK-BP


                                                                                                                       
              "Soda, Marcantonio"                                                                                      
              <Marcantonio.Soda@xxxxxxxxxx        To:       "'Ayden Nash'" <Ayden@xxxxxxxxxxxxxxxx>, issforum@xxxxxxx  
              om>                                 cc:                                                                  
              Sent by:                            Subject:  RE: [ISSForum] False data and time for events              
              issforum-admin@xxxxxxx                                                                                   
                                                                                                                       
                                                                                                                       
              28.01.2004 17:44                                                                                         
                                                                                                                       
                                                                                                                       




I had this issue when my Event Collector became overloaded because of too
many alerts per second (I believe the max is 500).  Look for EC warnings
that mention throttling.


If that's the issue you'll need to add another EC or lessen your alerts.


Hope this helps.


--
Marc Soda, CISSP
Information Security Engineer
NCO Group
215.441.2127
marc.soda@xxxxxxxxxxxx


-----Original Message-----
From: Ayden Nash [mailto:Ayden@xxxxxxxxxxxxxxxx]
Sent: Tuesday, January 27, 2004 7:49 PM
To: issforum@xxxxxxx
Subject: [ISSForum] False data and time for events





Hi all,


Alerts seen in siteprotector all have wrong date/time's associated with
them, even though the operating systems they
run on have the correct time. Is seems the run time's of sensor updates
etc. are ~9 hours behind. Where are these false times


coming from?


Thanks,
Ayden


_______________________________________________
ISSForum mailing list
ISSForum@xxxxxxx


TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo








_______________________________________________
ISSForum mailing list
ISSForum@xxxxxxx

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo