For an initial install I have configured to log all attacker/victim pair packets investigating events in detail and not meant to be on all the time. It will be turned off to see if this reduces the amount of storage space that is being consumed so we can monitor events for a longer period of time, but I have a question on this.
Does the Event Store Wrap (in show stat event-store output) indicate the logging wrapping I am seeing?
If so, is there a way to monitor the memory availability for the store itself so I can see what affect different settings have on available logging memory?
IPS# show statistics event-store
Event store statistics
The number of times the event store circular buffer has wrapped = 16
The eventStore size starting at version 5.0(1) is a fixed 30 Meg. Its a circular eventStore that is intended to wrap (new events overwriting oldest events). The usual sensor deployment includes some sort of remote event monitor application that pulls events from the sensor. The eventStore acts as a buffer to allow the remote monitoring app to keep up with busy sensors. If your eventStore wraps every few hours then the monitoring app should be able to keep up with all the events being generated. The concern would be if the eventStore continuously wrapped in less than 10 or 15 minutes. At that point you may be loosing events and would need to tune the sensor signature config to only alarm on meaningful events.