Sergey, Throttling can be caused my many things; it occurs when the queue file (buffer) cannot absorb the difference between incoming events volumes [Ei] and outgoing event volumes [Eo]. Usually, this means 1. The database (or the EC) is unavailable 2. The database (EC) is too slow to keep up. 3. bandwidth to the database (EC) is not sufficient
While errors may only show up from the EC, throttling and event overload occur on both an EC and a sensor. Any recommendation about X sensors per Y EC's is always going to remain a recommendation and is neither a hard upper limit nor a guarantee of minimum performance. Ultimately it's all about event volumes, not how many sensor you have. Those events will have to travel across a link, be handled by the EC, and finally committed to the EC. Only then is the sensor allowed to clear them from the it's queueu/buffer. Peaks or shorter outages are OK because the sensor or EC queue/buffer events. Investigate your environment to pin-point the bottleneck in your case. For example, if using one EC per sensor (massive overkill) doesn't solve anything, your problem may lie in database performance or bandwidth. But if are seeing very high peaks like MSPRP_popup which currently runs ramptant, you probably want to implement event-limiting strategies such as Flood Protection or Event Consolidation instead of upgrading to the latest & greatest hardware. This translates into a system that ignores/blocks/consolidates events over a certain limit - that would otherwise overload the system - instead of a system that randomly shuts down or looses information when the overload occurs. Personally, I'd choose predictable loss of information rather than random loss. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sergey V Soldatov Sent: 23 January 2004 11:03 To: [EMAIL PROTECTED] Subject: [ISSForum] EventCollector is overloaded Hi, All! I find great number of events such as: (EventCollector_RSSPSQL) - Started throttling event rate (due to large backlog of events waiting to be stored in the database). If this happens often, this may be an indication that your Event Collector is overloaded. [ID=0xc734004c]. and (EventCollector_RSSPSQL) - Stopped throttling event rate. [ID=0xc734004d]. But I don't think that it is true, because I have only 5 network sensors, 4 server sensors, 1 internet scanner and fusion module. In ISS documentation noted 1 EC can support up to 100 sensors! What the problem is? I'd installed additional EC and assign it to some sensors, but it didn't make me happy. --- Best regards, Sergey V. Soldatov Department of information security, TNK-BP. _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
