We monitor 15 IPS sensors with CiscoWorks VMS Security Monitor and even though we have tuned some signatures and created some filters a lot of alerts are still produced and populate the database. We currently have around 12 days of retention.
What factors into the number of days worth of events I can view and report on in CiscoWorks Security Monitor Event Viewer:
The number of events received? In other words the more events that are filtered the more days worth of events I can view and report on?
The size of the table in Security Monitor > Admin > Data Management > Database > Pruning Configuration which by default is set at 2,000,000 and if I'm warned of performance degradation if I increase the size?