Table of Contents
Advertisement
Setting Incident Unique IP Limit
Setting Event Correlation 'Name' Weight
2
In Select Node, choose the node from the pull-down list, and click OK.
3
In the left pane, click Maximum Active Incident Life.
4
In the lower right pane, enter a value in hours.
5
Click Apply.
6
In Apply Changes To, select the node to which to apply the parameter.
7
Click OK to save the changes to this node and close.
Incident Unique IP Limit determines how many unique IP addresses can appear
in an incident.
The default value is 0, which indicates no limit. Increase the value to provide
more focus and prevent diffusion in each incident.
You can specify a limit to the number of IP addresses that can appear in any one
incident. This prevents many multiple events getting correlated into the same
incident, each being slightly similar enough to be included, but causing the
incident to expand to a vague definition. This parameter gives you a way to
maintain a tight and focused incident definition.
To configure this parameter
1
Click Configuration > Node > Network Security Parameters.
2
In Select Node, choose the node from the pull-down list, and click OK.
3
In the left pane, click Incident Unique IP Limit.
4
In the lower right pane, enter a value.
5
Click Apply.
6
In Apply Changes To, select the node to which to apply the parameter.
7
Click OK to save the changes to this node and close.
Event Correlation 'Name' Weight determines the weight of the event name as a
factor in event correlation.
The default value is set to 4 for optimum performance in a typical enterprise
deployment. Valid values range from 0 to 10, inclusive. A value of 0 means the
event name will be completely ignored during correlation. A value of 10 means
that a matching name alone is sufficient to correlate events.
Monitoring
Tuning incident parameters
215
Advertisement
Table of Contents
