James, Event-volumes notwithstanding, you may have run into a bug/problem I've seen before. The Console default event view(s) filter out any events that are marked as 'cleared'. To see these events, use the Console filter editor and *add* the data column called 'cleared count'
I'm don't have a beef with the detault filters. The problem is some events *arriving* at the database as 'cleared'. In some cases, this happens because the event response DISPLAY is not enabled (the only reasonable translation from WGM to RSSP), but other times there is vodoo involved. I've raised this a couple of times with ISS and there's been no meaningful response beyond 'start with a new policy'. If Jean Paul is listening, case ID's relevant to odd/incorrect tag handling 852194, 1299134 and 1294848 . Cheers, RObert -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mohr James Sent: 22 November 2004 07:26 To: [EMAIL PROTECTED] Subject: AW: [ISSForum] Reducing the number of events Hi Jean Paul! I never said that anything was flooding the database. It's simply an issue of reducing the number of events to take some load of the machine. We did manage to reduce the number by disabling all audit events, but we are still getting about 10K Events per day, although only about 100 are showing up including the few exceptions we defined (which were mostly audit events). So, there is 100 times as many events ending up in the event data table than is being displayed. Before we disabled the audit events, the system was close to 100% CPU usage all of the time, now it is so less than half the time. It's not that the system does not appear to be overloaded, but I am still curious as to why there are so many event and why so few are being displayed. Regards, Jim Mohr > -----Urspr�ngliche Nachricht----- > Von: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Im Auftrag von Ballerini, Jean Paul > (ISS EMEA) > Gesendet: Freitag, 19. November 2004 12:57 > An: vanskee2 mamen; Mohr James; [EMAIL PROTECTED] > Betreff: RE: [ISSForum] Reducing the number of events > > > You are correct; this is not available for OS signatures. > Though, may I ask which OS signature is flooding your DB? > > Jean Paul > > -----Original Message----- > From: vanskee2 mamen [mailto:[EMAIL PROTECTED] > Sent: Friday, November 19, 2004 2:42 AM > To: Ballerini, Jean Paul (ISS EMEA); [EMAIL PROTECTED]; > [EMAIL PROTECTED] > Subject: RE: [ISSForum] Reducing the number of events > > > Is this applicable to OS sensor signatures? I cannot find the advance > param in any OS signatures. > > thanks > > >From: "Ballerini, Jean Paul (ISS EMEA)" <[EMAIL PROTECTED]> > >To: "Mohr James" <[EMAIL PROTECTED]>, > "[EMAIL PROTECTED]" > ><[EMAIL PROTECTED]> > >Subject: RE: [ISSForum] Reducing the number of events > >Date: Wed, 17 Nov 2004 09:08:18 +0100 > > > >Yes, > > > >But it is a little long to explain. > >Look at the advanced parameters of the events under event > propagation. > >That is where you can reduce the number of alert (and data > stored) per > >event. You'll have to use LogFiltered instead of LogWithoutRaw. > > > >Jean Paul > > > >-----Original Message----- > >From: [EMAIL PROTECTED] On Behalf Of Mohr James > >Sent: Tuesday, November 16, 2004 12:44 PM > >To: [EMAIL PROTECTED] > >Subject: [ISSForum] Reducing the number of events > > > >Hi All! > > > >My boss wants to significantly reduce the number of events that are > sent > >from a number of sensors. I know you can disable specific events, but > is > >there anyway to say that you do not want any low priority events at > all. > >I know how to change the view in the console to not display low > >severity, but I my boss does not want them to even get sent to the > event > >collector. Is there any way to do this? > > > >Regards, > > > >Jim Mohr > > > >_______________________________________________ > >ISSForum mailing list > >[EMAIL PROTECTED] > > > >TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to > >https://atla-mm1.iss.net/mailman/listinfo/issforum > > > >To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] > > > >The ISSForum mailing list is hosted and managed by Internet Security > >Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328. > > > > > > > >_______________________________________________ > >ISSForum mailing list > >[EMAIL PROTECTED] > > > >TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to > >https://atla-mm1.iss.net/mailman/listinfo/issforum > > > >To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] > > > >The ISSForum mailing list is hosted and managed by Internet Security > >Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328. > > > > > > _______________________________________________ > ISSForum mailing list > [EMAIL PROTECTED] > > TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-> > mm1.iss.net/mailman/listinfo/issforum > > To > contact the > ISSForum Moderator, send email to [EMAIL PROTECTED] > > The ISSForum mailing list is hosted and managed by Internet Security > Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328. > _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328. _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
