• Support
  • Forums
  • Blogs

Searching for an "useful working window"


New Life Form
My enviroment has an USM standar server and four sensors, all together
generating, sustainedly, about 200 events every second. So, my "working
window", to assess all alarms and reviewing for interesting events, is
narrowed to about 2,3 days [40000000 events/(200 events/s *60*60*24)],
before all stored events being flushed to logger.
What can I do, to enlarge that "working window" to about 7 days, without
spend more money in another server or sensor?. Where to tune my
enviroment?. Plugins?, Policies?, Correlation directives?.

Thanks, in advance, for your answer.

Share post:

Best Answer

  • Answer ✓

    Your best answer is to review the event best practices document, and then work toward tuning your configuration to discard unwanted alarms/events/logs to optimize the system.This will provide the best bang for the buck, so to speak, with regard to system rotation and storage. I have provided links to both sections of the documentation below.

    I should note, however, that I see a misunderstanding in the description above that warrants clarification. when events are correlated, they are not moved to the SIEM DB and then rotated to Raw Logs, but are written to both at the same time. This is an important distinction, as the system can be configured to send to one or the other and not both (as you choose) to optimize storage. 

    You could, for example, correlate login success events but not store in the DB in order to save DB storage on a high volume system where you are tracking lockout or login failure only.

Sign In or Register to comment.