event monitoring archival

Unanswered Question
Dec 20th, 2007

I don't understand how my IPS 4240 handles the storage of events. Right now my oldest event is only several hours old. I can understand the circular logging, but it's hard to believe there's only enough room for a few hours, especially when there appears to be free disk space as noted below, unless I'm looking at the wrong partition.

Disk usage

system is using 17.8M out of 29.0M bytes of available disk space (61% usage)

application-data is using 38.9M out of 166.8M bytes of available disk space (25% usage)

boot is using 37.9M out of 68.6M bytes of available disk space (58% usage)

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
attmidsteam Thu, 12/20/2007 - 12:36

You are not alone, we've complained about this as well but haven't received a satisfactory answer. On a busy sensor, the eventstore can rotate quite quickly so you are best to get all the data you can off as soon as you can. Turning on verbose alerting will fill it faster since the eventstore is limited to 30000000 bytes as of 5.1(7).


This Discussion