Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2421
Views
0
Helpful
2
Replies

How to see EPS (events per second) at IPS from CLI

zheka_pefti
Level 2
Level 2

‎11-16-2009 11:17 AM - edited ‎03-10-2019 04:49 AM

Hi folks,

Is there anyway to see the number of EPS a particular IPS sensor generates while being connected to it via telnet?

What's the size of the events store? And how can SDEE pull old events from the store?

Labels:
0 Helpful
2 Replies 2

rhermes
Level 7
Level 7

‎11-16-2009 02:28 PM

You'll have to do a little math to come up with that number yourself:

"show stat analysis"

then take the output lines:

Number of seconds since service started = 10887

Number of SigEvents since reset = 37360

and devide the sigevent count by the number of seconds.

The event store is a fixed size (and I don't remember how big they made it in flash) but the events are variable in size. SDEE can be used to pull old events because the client (your SIM, MARS, etc) requests events from the server (your sensor) much like you do when querying the event store from the CLI.

"show event alerts past 23:39"

0 Helpful

zheka_pefti
Level 2
Level 2
In response to rhermes

‎11-16-2009 04:10 PM

Wow,

Never knew about such calculations. Thanks a lot!

Were these statistics from a busy IPS sensor? I don't seem to exceed 10 EPS and thought this is low. And I wouldn't think that calculating the size of every event is tricky?

Simply copying the details of every event into notepad gives me the size of every event about 1K.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card