This is a different issue and I cannot answer you without further analysis. The theory says that the sum of the event counts should be the total number of events, unless you have events set to LOGDB but no display. To see if there is an anomaly you could also try to add the "cleared count" column. That will show you all the events that have the clear flag on.
Otherwise I am afraid you'll have to ask support. HTH. Jean Paul -----Original Message----- From: [EMAIL PROTECTED] On Behalf Of Mohr James Sent: Monday, November 22, 2004 8:26 AM To: [EMAIL PROTECTED] Subject: AW: [ISSForum] Reducing the number of events Hi Jean Paul! I never said that anything was flooding the database. It's simply an issue of reducing the number of events to take some load of the machine. We did manage to reduce the number by disabling all audit events, but we are still getting about 10K Events per day, although only about 100 are showing up including the few exceptions we defined (which were mostly audit events). So, there is 100 times as many events ending up in the event data table than is being displayed. Before we disabled the audit events, the system was close to 100% CPU usage all of the time, now it is so less than half the time. It's not that the system does not appear to be overloaded, but I am still curious as to why there are so many event and why so few are being displayed. Regards, Jim Mohr > -----Urspr�ngliche Nachricht----- > Von: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Im Auftrag von Ballerini, > Jean Paul (ISS EMEA) > Gesendet: Freitag, 19. November 2004 12:57 > An: vanskee2 mamen; Mohr James; [EMAIL PROTECTED] > Betreff: RE: [ISSForum] Reducing the number of events > > > You are correct; this is not available for OS signatures. > Though, may I ask which OS signature is flooding your DB? > > Jean Paul > > -----Original Message----- > From: vanskee2 mamen [mailto:[EMAIL PROTECTED] > Sent: Friday, November 19, 2004 2:42 AM > To: Ballerini, Jean Paul (ISS EMEA); [EMAIL PROTECTED]; > [EMAIL PROTECTED] > Subject: RE: [ISSForum] Reducing the number of events > > > Is this applicable to OS sensor signatures? I cannot find the > advance param > in any OS signatures. > > thanks > > >From: "Ballerini, Jean Paul (ISS EMEA)" <[EMAIL PROTECTED]> > >To: "Mohr James" <[EMAIL PROTECTED]>, > "[EMAIL PROTECTED]" > ><[EMAIL PROTECTED]> > >Subject: RE: [ISSForum] Reducing the number of events > >Date: Wed, 17 Nov 2004 09:08:18 +0100 > > > >Yes, > > > >But it is a little long to explain. > >Look at the advanced parameters of the events under event > propagation. > >That is where you can reduce the number of alert (and data > stored) per > >event. You'll have to use LogFiltered instead of LogWithoutRaw. > > > >Jean Paul > > > >-----Original Message----- > >From: [EMAIL PROTECTED] On Behalf Of Mohr James > >Sent: Tuesday, November 16, 2004 12:44 PM > >To: [EMAIL PROTECTED] > >Subject: [ISSForum] Reducing the number of events > > > >Hi All! > > > >My boss wants to significantly reduce the number of events that are > sent > >from a number of sensors. I know you can disable specific events, but > is > >there anyway to say that you do not want any low priority events at > all. > >I know how to change the view in the console to not display low > >severity, but I my boss does not want them to even get sent to the > event > >collector. Is there any way to do this? > > > >Regards, > > > >Jim Mohr > > > >_______________________________________________ > >ISSForum mailing list > >[EMAIL PROTECTED] > > > >TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to > >https://atla-mm1.iss.net/mailman/listinfo/issforum > > > >To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] > > > >The ISSForum mailing list is hosted and managed by Internet Security > >Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328. > > > > > > > >_______________________________________________ > >ISSForum mailing list > >[EMAIL PROTECTED] > > > >TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to > >https://atla-mm1.iss.net/mailman/listinfo/issforum > > > >To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] > > > >The ISSForum mailing list is hosted and managed by Internet Security > >Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328. > > > > > > _______________________________________________ > ISSForum mailing list > [EMAIL PROTECTED] > > TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to > https://atla-> mm1.iss.net/mailman/listinfo/issforum > > To > contact the > ISSForum Moderator, send email to [EMAIL PROTECTED] > > The ISSForum mailing list is hosted and managed by Internet > Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328. > _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328. _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
