IPS Alerting to multiple locations

Answered Question

Will adding multiple alerting destinations have a dramatic CPU impact

over a single destination when under significant alerting load?

I have this problem too.
0 votes
Correct Answer by rhermes about 6 years 5 months ago

If your sensor is not overloaded today, it's doubtfull that adding an additional SDEE feed will push it over the edge. But if you're already showing a missed packet percentage in your logs, then adding another event feed won't do your sensor any favors.

- Bob

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
rhermes Fri, 08/27/2010 - 11:15

If your sensor is not overloaded today, it's doubtfull that adding an additional SDEE feed will push it over the edge. But if you're already showing a missed packet percentage in your logs, then adding another event feed won't do your sensor any favors.

- Bob

Scott Fringer Mon, 08/30/2010 - 04:00

In addition to Bob's points, please be aware that Cisco's IPS sensors have a limit to five (5) open SDEE subscriptions; this equates to five (5) "alerting destinations". If you configure more than five (5) you may encounter subscription contention and inconsistent events being logged at each destination.

Scott

Actions

This Discussion