Rule: 11 fired (level 8) -> "Excessive number of events (above normal)."
I get this too often. Where can I tune this rule?
I see that the error message is hard coded in analysisd and in
internal_options.conf:
# Analysisd default rule timeframe.
analysisd.default_timeframe=360
# Analysisd stats maximum diff.
analysisd.stats_maxdiff=2000
# Analysisd stats minimum diff.
analysisd.stats_mindiff=60
# Analysisd stats percentage (how much to differ from average)
analysisd.stats_percent_diff=20
# Analysisd FTS list size.
analysisd.fts_list_size=32
# Analysisd FTS minimum string size.
analysisd.fts_min_size_for_str=14
But I'm not really clear on which one to change, if any?
Thanks,
Ken A
Pacific.Net
