i've noticed one tangled fact on idm monitoring events dashboard. it doesn't show alerts, which i notice on main page home/netwrok security health sensor cyrcle. In the past 5 minutes sensor show for example 10 red alerts, but when i switch on event dashboard - there are nothing on this table.....
several days ago i saw some periodical alerts about 4003 signature - nmap udp sweep. it was happening during week, and i think that quaintity of real tine alerts on sensor health cyrcle and on events table were the same.
only that i'm noticing now, 3041 signature and some times errorMessage: - the event store wrapped around [IdsEventStore::writeEvent(), index = 19531] name=errWarning
i've read about this error some notes,but don't understand what should i change for viewing real-time alerts and 4003 signature (when idm works correct, it was the main attack). practically all confoguration on default values. ips works in promiscious mode
thanks for any help and advices
For signatures firing a lot, you can use IPS CLI command "show stats virtual-sensor"
"show statistics virtual-sensor | be SigEvent count"
Regarding the message "errorMessage: - the event store wrapped around "
Events are stored in a circular buffer. Once the buffer if full, we would simply overwrite the oldest event. If you are seeing multiple such messages, it means that the number of events is really high. You might want to set Alert Frequency > Summary Mode for the signatures which are firing a lot.
Refer to the following link to configure Summary Mode: