cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
450
Views
0
Helpful
1
Replies

IPS event store

mj11
Level 3
Level 3

Hi Netpros

I have upgraded an IPS to version 6.2(1)E3, I am now having issues with being able to retrieve events from my unit via RDEP, the problem is with the amount of data I am getting, I know after 5.0 the eventStore was fixed to about 30MB but I am not getting anywere near that. Does anybody know of any issues with this release.

Regards MJ

1 Reply 1

attmidsteam
Level 1
Level 1

Have you been watching the log to see how often it rotates? A default Cisco signature set is extremely noisy and on a busy sensor I've seen the eventstore rotate every 60-90 seconds. At those rates, RDEP/SDEE can only retrieve 500 or 1000 events per pull and it may not be fast enough.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: