My EC always was throtting alerts, adition of another one didn't help! And
how can I solve that problem I have not find! Installation one EC per each
sensor is not a solution, because SiteProtector (SP) supports up to 5 EC.
But I suppose that the problem is in Security Fusion Module (SFM), because
before I'd installed SFM the number of events per secont was approximately
the same, but time, showed in alerts was right. Now, with SFM, alert always
has time 30-90 min behind current time!
Please, someone from ISS, tell me, am I right? Is the problem in SFM?
Thank you all.
---
Best regards, Sergey V. Soldatov
Department of information security,
TNK-BP
"Soda, Marcantonio"
<[EMAIL PROTECTED] To: "'Ayden Nash'" <[EMAIL PROTECTED]>,
[EMAIL PROTECTED]
om> cc:
Sent by: Subject: RE: [ISSForum] False data
and time for events
[EMAIL PROTECTED]
28.01.2004 17:44
I had this issue when my Event Collector became overloaded because of too
many alerts per second (I believe the max is 500). Look for EC warnings
that mention throttling.
If that's the issue you'll need to add another EC or lessen your alerts.
Hope this helps.
--
Marc Soda, CISSP
Information Security Engineer
NCO Group
215.441.2127
[EMAIL PROTECTED]
-----Original Message-----
From: Ayden Nash [mailto:[EMAIL PROTECTED]
Sent: Tuesday, January 27, 2004 7:49 PM
To: [EMAIL PROTECTED]
Subject: [ISSForum] False data and time for events
Hi all,
Alerts seen in siteprotector all have wrong date/time's associated with
them, even though the operating systems they
run on have the correct time. Is seems the run time's of sensor updates
etc. are ~9 hours behind. Where are these false times
coming from?
Thanks,
Ayden
_______________________________________________
ISSForum mailing list
[EMAIL PROTECTED]
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo
_______________________________________________
ISSForum mailing list
[EMAIL PROTECTED]
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo
