[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [ISSForum] Reducing the number of events



This is a different issue and I cannot answer you without further analysis.
The theory says that the sum of the event counts should be the total number of events, unless you have events set to LOGDB but no display.
To see if there is an anomaly you could also try to add the "cleared count" column. That will show you all the events that have the clear flag on.

Otherwise I am afraid you'll have to ask support.

HTH.

Jean Paul

-----Original Message-----
From: issforum-bounces@xxxxxxxxxxxxxxxx On Behalf Of Mohr James
Sent: Monday, November 22, 2004 8:26 AM
To: issforum@xxxxxxxxxxxxxxxx
Subject: AW: [ISSForum] Reducing the number of events

Hi Jean Paul!

I never said that anything was flooding the database. It's simply an issue of reducing the number of events to take some load of the machine. We did manage to reduce the number by disabling all audit events, but we are still getting about 10K Events per day, although only  about 100 are showing up including the few exceptions we defined (which were mostly audit events). So, there is 100 times as many events ending up in the event data table than is being displayed.

Before we disabled the audit events, the system was close to 100% CPU usage all of the time, now it is so less than half the time. It's not that the system does not appear to be overloaded, but I am still curious as to why there are so many event and why so few are being displayed.

Regards,

Jim Mohr

> -----Ursprüngliche Nachricht-----
> Von: issforum-bounces@xxxxxxx 
> [mailto:issforum-bounces@xxxxxxx] Im Auftrag von Ballerini, 
> Jean Paul (ISS EMEA)
> Gesendet: Freitag, 19. November 2004 12:57
> An: vanskee2 mamen; Mohr James; issforum@xxxxxxxxxxxxxxxx
> Betreff: RE: [ISSForum] Reducing the number of events
> 
> 
> You are correct; this is not available for OS signatures. 
> Though, may I ask which OS signature is flooding your DB?
> 
> Jean Paul
> 
> -----Original Message-----
> From: vanskee2 mamen [mailto:vanskee2@xxxxxxxxxxx] 
> Sent: Friday, November 19, 2004 2:42 AM
> To: Ballerini, Jean Paul (ISS EMEA); james.mohr@xxxxxxxxx; 
> issforum@xxxxxxxxxxxxxxxx
> Subject: RE: [ISSForum] Reducing the number of events
> 
> 
> Is this applicable to OS sensor signatures? I cannot find the 
> advance param 
> in any OS signatures.
> 
> thanks
> 
> >From: "Ballerini, Jean Paul (ISS EMEA)" <JPBallerini@xxxxxxx>
> >To: "Mohr James" <james.mohr@xxxxxxxxx>,
> "issforum@xxxxxxxxxxxxxxxx" 
> ><issforum@xxxxxxx>
> >Subject: RE: [ISSForum] Reducing the number of events
> >Date: Wed, 17 Nov 2004 09:08:18 +0100
> >
> >Yes,
> >
> >But it is a little long to explain.
> >Look at the advanced parameters of the events under event 
> propagation. 
> >That is where you can reduce the number of alert (and data 
> stored) per 
> >event. You'll have to use LogFiltered instead of LogWithoutRaw.
> >
> >Jean Paul
> >
> >-----Original Message-----
> >From: issforum-bounces@xxxxxxxxxxxxxxxx On Behalf Of Mohr James
> >Sent: Tuesday, November 16, 2004 12:44 PM
> >To: issforum@xxxxxxxxxxxxxxxx
> >Subject: [ISSForum] Reducing the number of events
> >
> >Hi All!
> >
> >My boss wants to significantly reduce the number of events that are
> sent
> >from a number of sensors. I know you can disable specific events, but
> is
> >there anyway to say that you do not want any low priority events at
> all.
> >I know how to change the view in the console to not display low 
> >severity, but I my boss does not want them to even get sent to the
> event
> >collector. Is there any way to do this?
> >
> >Regards,
> >
> >Jim Mohr
> >
> >_______________________________________________
> >ISSForum mailing list
> >ISSForum@xxxxxxx
> >
> >TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to 
> >https://atla-mm1.iss.net/mailman/listinfo/issforum
> >
> >To contact the ISSForum Moderator, send email to mod-issforum@xxxxxxx
> >
> >The ISSForum mailing list is hosted and managed by Internet Security 
> >Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
> >
> >
> >
> >_______________________________________________
> >ISSForum mailing list
> >ISSForum@xxxxxxx
> >
> >TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
> >https://atla-mm1.iss.net/mailman/listinfo/issforum
> >
> >To contact the ISSForum Moderator, send email to mod-issforum@xxxxxxx
> >
> >The ISSForum mailing list is hosted and managed by Internet Security
> >Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
> 
> 
> 
> 
> 
> _______________________________________________
> ISSForum mailing list
> ISSForum@xxxxxxx
> 
> TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to 
> https://atla-> mm1.iss.net/mailman/listinfo/issforum
> 
> To 
> contact the 
> ISSForum Moderator, send email to mod-issforum@xxxxxxx
> 
> The ISSForum mailing list is hosted and managed by Internet 
> Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
> 

_______________________________________________
ISSForum mailing list
ISSForum@xxxxxxx

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforum@xxxxxxx

The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.



_______________________________________________
ISSForum mailing list
ISSForum@xxxxxxx

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforum@xxxxxxx

The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.