HP ProCurve Series 3400cl Release Notes page 82

Enhancements
Release M.10.04 Enhancements
Alerts are automatically rate limited to prevent filling the log file with redundant information.
■
The following is an example of alerts that occur when the device is continually subject to
the same attack (too many MAC addresses in this instance):
W 01/01/90 00:05:00 inst-mon: Limit for MAC addr count (300) is exceeded (321)
W 01/01/90 00:10:00 inst-mon: Limit for MAC addr count (300) is exceeded (323)
W 01/01/90 00:15:00 inst-mon: Limit for MAC addr count (300) is exceeded (322)
W 01/01/90 00:20:00 inst-mon: Limit for MAC addr count (300) is exceeded (324)
W 01/01/90 00:20:00 inst-mon: Ceasing logs for MAC addr count for 15 minutes
Figure 17. Example of the rate limiting that occurs when multiple messages are generated
In the preceding example, if a condition is reported 4 times (persists for more than 15 minutes)
then alerts cease for 15 minutes. If after 15 minutes the condition still exists, the alerts cease for
30 minutes, then for 1 hour, 2 hours, 4 hours, 8 hours, and after that the persisting condition is
reported once a day. Note that ProCurve switches also have the ability to send event log entries
to a syslog server.
Known Limitati ons
As of release M.10.06, the instrumentation monitor runs once every five minutes. The current
implementation does not track information such as the port, MAC, and IP address from which an
attack is received.
72