Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

IPS Maximum Events Stored?

I would like to know if there is an official Cisco document telling what is the maximum number of events that can be stored, registered or viewed on any IPS either CLI, IDM or IME?

I am working on a requirement that says: "it should have the capacity to register up to 20 000 000 events for each device"

Is there something that could help me tell that the IPS is able to do that?

Everyone's tags (4)

IPS Maximum Events Stored?

You aren;t going to get a clear answer from Cisco on this one.

The event buffer is held in a circular buffer, so the oldest events are overwritten first.

The problem in determining the number of events the buffer can hold is that there is no standard size for signature events. You also have user level control as to how much data is stored in each event (verbose mode).

The Cisco sensors are not really designed to store events, they were made to hold events until an event aggregator can collect them. In my experience even the busiest sensors could still hold a few days worth of events before overwriting.

- Bob

IPS Maximum Events Stored?

Thanks Bob. I am already working with Cisco on getting an answer but there is no documentation about it. They suggest using IME to collect the events but still I need to have an official document telling me how many events IME can store.


IPS Maximum Events Stored?

The limits of IME would be related to the database size that IME uses to store events.

If you needed more storage you could move to one of many other (non-free) SDEE collectors.

- Bob

CreatePlease to create content