saw somewhere (whitepaper iirc) that RME DB might have limit of 1M entries in the syslog DB. is this measured hard limit, sybase OEM license limit, theoretical or ?
reason - audit requirement to have 1yr syslog online. day 367 (leap years) just throw it out, nobody cares anymore.
have est. 200 events per hr flowing into $many RSAC, then split amongst RME (main) for non-security devices, and RME (csm) for fw/etc.
that's 875k records in each main/csm RME syslog DB.
if my est. is off by more than 12% variant, it blows the 1M DB limit.
any reason to worry?
before you say just add another slave RME server, I'm stuck with two. adding e.g. 10TB more disk is "easy"; but adding another RME server is hard ($$$ + OSI layers 8 & 9...)