Configuring Log Suppression - Juniper NETWORK AND SECURITY MANAGER 2010.3 - CONFIGURING INTRUSION DETECTION AND PREVENTION GUIDE REV1 Manual

Related Topics

Configuring Log Suppression

Table 65: IDP Configuration: Log Suppression Settings
Setting
Enable log suppression
Include destination IPs when
performing log suppression
Number of log occurrences after
which log suppression begins
Maximum number of logs that
log suppression can operate on
Time (seconds) after which
suppressed logs will be reported
Maximum number of logs that
can be stored
Copyright © 2010, Juniper Networks, Inc.
TIP: For information on deleting custom reports, organizing report folders, exporting
reports, and using the NSM guiSvrCli.sh command line utility and Linux cron utility to
automate reporting jobs, see the NSM online Help.
NSM Logs and Reports Overview on page 127
Intrusion Detection and Prevention Reporter Overview on page 139
You can configure log suppression if you want to reduce the number of logs displayed in
the NSM log viewer. If you enable log suppression, NSM displays a single record for
multiple occurrences of similar events, along with a count of all such occurrences.
To enable and configure log suppression:
In the NSM Device Manager, double-click the IDP device to display the configuration
1.
editor.
Click Sensor Settings.
2.
Click Load-Time Parameters.
3.
Complete the settings related to log suppression using Table 65 on page 137.
4.
Description
Log suppression is enabled by default. Use this setting to turn log suppression off and on.
When log suppression is enabled, multiple occurrences of events with the same source IP,
service, and matching attack object generate a single log record with a count of occurrences.
If you enable this option, log suppression combines log records for events with the same
destination IP.
This number represents the number of identical log records received before suppression
starts. The default is 1 (meaning log suppression begins with the first redundancy).
When log suppression is enabled, IDP must cache log records so that it can identify when
multiple occurrences of the same event occur. This number represents the number of log
records in the IDP Management Server that IDP tracks for log suppression. The default is
16384 log records.
When log suppression is enabled, the IDP device maintains a count of multiple occurrences
of the same event. This number represents the number of seconds that pass before IDP
reports a single log entry containing the count of occurrences. The default is 10 seconds.
Determines the limit for logs stored on the IDP device. The default is 50,000. The minimum
value is 1,000. The maximum is 65,535.
Chapter 12: Working with NSM Logs and Reports
137