IPS event store

Unanswered Question

Hi Netpros


I have upgraded an IPS to version 6.2(1)E3, I am now having issues with being able to retrieve events from my unit via RDEP, the problem is with the amount of data I am getting, I know after 5.0 the eventStore was fixed to about 30MB but I am not getting anywere near that. Does anybody know of any issues with this release.


Regards MJ

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
attmidsteam Thu, 11/20/2008 - 10:05
User Badges:
  • Silver, 250 points or more

Have you been watching the log to see how often it rotates? A default Cisco signature set is extremely noisy and on a busy sensor I've seen the eventstore rotate every 60-90 seconds. At those rates, RDEP/SDEE can only retrieve 500 or 1000 events per pull and it may not be fast enough.

Actions

This Discussion