This topic describes the various limits on processing capabilities by AlienVault USM Appliance.
The limit of AlienVault HIDS Agents connected to an HIDS Server at the same time is 2046 (hard-compiled). Freely available binaries for Windows and other systems from www.ossec.net are compiled with the default limit of 256. AlienVault USM Appliance customers are not affect by the 256 limitation.
Active NetFlow Window
By default, the USM Appliance saves netflow metadata for 45 days. You can adjust it in the USM Appliance web interface from Configuration > Administration > Main > Backup > Active NetFlow Window.
By default, AlienVault USM Appliance rotates logs daily (using standard UNIX mechanisms like cron and logrotate) and keep them for 5 days. HIDS logs are kept for 7 days. Default syslog file (/var/log/syslog) is kept for 7 days, while /var/log/messages is kept for 4 weeks and rotated weekly.
Active Logger Window
By default, the USM Appliance Logger does not expire raw logs. You can adjust it in the USM Appliance web interface by setting Configuration > Administration > Main > Backup > Logger Expiration to yes and Active Logger Window to an positive integer which will specify the number of days to keep logs.
Custom Plugin ID Range
The range that can be used for the plugin id when creating custom plugins is between 9000 and 10000.
Limit of Active Plugins
This limit is set at 100. Exceeding this limit will result in unexpected behavior and reduced performance.
Each plugin enabled in the asset view in the USM Appliance web interface is saved in /etc/ossim/agent/config.yml, as opposed to /etc/ossim/agent/config.cfg, which holds information about globally enabled plugins. Every plugin enabled per asset counts towards the total active plugins count, the max of which is 100. Enabling a plugin globally also counts towards the total active plugin count. But if multiple assets are sending logs through syslog and those logs are being normalized by a globally enabled plugin, it will still only count as one towards the total active plugins count.
AlienVault USM Appliance Logger vs. Log Collection Server
Log collection server is a syslog compatible server collecting all syslog messages forwarded to it, regardless of their contents. AlienVault USM Appliance Logger only saves security events generated by ossim-agent, including those syslog messages that match rules defined in the plugins. All other syslog messages (that do not match any rules defined in the plugins) are ignored, but they are still saved to disk by the syslog server and are still subject to log rotation.
Default Event Storage Limit
By default, AlienVault USM Appliance saves 40 million security events in the SIEM database. The events are then purged from the SIEM database after 90 days or after there are more than 40 million events, whichever comes first. You can adjust the limits in the USM Appliance web interface from Configuration > Administration > Main > Backup > Events to keep in the Database.