Kim Apers said that EC can handle continuos stream of 70 events/second. I
think that it is very very small, because imagine if i have one RS Gigabit
Nrtwork sensor, that can operate with 800 M bits of traffic, it is about
800 000 000 / (1500*8) =~ 66667 packets/second minimum. Imagine that we are
attacked and potentially every packet can trigger an event (also every
packet can trigger a number of events), so we have 66 667 events/second =>
we need 66 667 / 70 = 952 ECs to handle such amount of events.
Am I wrong?
My questions are still the same:
1. How many events one EC can handle (70 events per second, seems not
correct)?
2. How can I increase EC performance? Or by "increasing DB performance" is
the only ability?
Thank you.
---
Best regards, Sergey V. Soldatov
Department of information security,
TNK-BP.
"Banton, Charles (ISS
Atlanta)" To: "Sergey V Soldatov" <[EMAIL
PROTECTED]>,
<[EMAIL PROTECTED]> "[EMAIL PROTECTED]" <[EMAIL
PROTECTED]>
cc:
31.01.2004 00:46 Subject: RE: [ISSForum] EC throttling
event rate
With a few exceptions throttling of events occurs when the Database is
unable to keep up with the EC. So generally the best way to improve the EC
performance is to improve the DB performance. However with recent advances
in the SP Database there are some cases where a single EC can become bogged
down and the Database is fine. In this case we have not seen a Database be
able to outperform two EC's therefore adding a second EC is all that should
be needed for performance sake.
SP is limited to 5 EC's, however since the EC is not a limiting factor the
need for more than two EC's is usually for other reasons then performance.
Support can assist in determining what is the cause of the throttling of
events.
I hope this helps.
-Charles
-----Original Message-----
From: [EMAIL PROTECTED] On Behalf Of Sergey V Soldatov
Sent: Thursday, January 29, 2004 11:26 AM
To: [EMAIL PROTECTED]
Subject: [ISSForum] EC throttling event rate
Good day.
I have constant problem with EC - great number of events such as:
Message (EventCollector_RSSPSQL) - Started throttling event rate (due
to large backlog of events waiting to be stored in the database). If this
happens often, this may be an indication that your Event Collector is
overloaded. [ID=0xc734004c]
Message (EventCollector_RSSPSQL) - Stopped throttling event rate.
[ID=0xc734004d]
As I understand it is because of very high stream of events. But machine
with EC installed is not seems overloaded, so i'm interesting in:
1. How can I increase EC performance?
2. How can I manage EC queue?
3. How many events per second EC can process?
4. Is it right that SP can support only up to 5 ECs?
.. and others relevant with this problem.
Thank you all!
---
Best regards, Sergey V. Soldatov
Department of information security,
TNK-BP.
tel/fax +7 095 745 89 50 (2663)
_______________________________________________
ISSForum mailing list
[EMAIL PROTECTED]
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo
_______________________________________________
ISSForum mailing list
[EMAIL PROTECTED]
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo
