The event store on the IPS-4240 is 30M and is stored in DRAM. This is enough storage for approximately 15000 events, which is 15 minutes at the maximum rating of 1000 events per second. (A typical IPS, configured properly, will alarm at sustained rates of less than 1 event per second.) When the sensor is shut down cleanly, the event store persists to flash memory. When power is suddenly removed, the event store is lost.

There are a number of advantages to the DRAM-based event store, primarily the substantial increase in hardware reliability resulting from eliminating the failure-prone disk drive. Performance is improved because access times to the event store are dramatically reduced.

The primary disadvantage is that the IPS should now be used on a uninterruptible power supply. This is what one might expect; however, since as an inline device, it is now a critical component in the flow of packets across a network.

The collection of events on a host with large amounts of redundant storage is also a requirement in a large deployment. Cisco's VPN/Security Management System will provide this capability in a future release; however, a number of early adopters have successfully implemented event collectors using open source tools and following publicly released specifications (RDEP and SDEE).