RSA enVision^® Discussions

RSAAdmin · ‎2011-08-05

I have an RFE ESE-503 submitted for this already but doesn't seem to be any update on it. I was wondering what the community did to prevent one syslog device from taking up 130% of the EPS if it has a misconfiguration issue or a DDoS is launched against it. The issue is logs from other syslog devices will not be collected.

RSAAdmin · ‎2011-08-09

I don't know of any way to stop this from happening except the possibility of creating an alert or report that tells you that you are getting flooded from one device and then you need to go and have that device either reconfigured or shutdown. Even if enVision could be made to ignore the device(s) from the EPS count, the device is still spewing syslog messages to the collector and that still takes bandwidth and resources. So, the best thing to do is to know about which devices are the "heavy hitters" and either stop sending messages or tune down the messages sent by changing the syslog configuration so that you don't collect *.debug.

Paul

RSAAdmin · ‎2011-08-10

How would one create an EPS baseline rule (or equivalent) per device?

RSAAdmin · ‎2011-08-11

Let me take a look at it. I used to run a daily report and then would use that, but let me see if I can come up with an alert for you.

Paul

FIRSTNAMELASTNA · ‎2012-03-20

Hello Paul - Did you came up something for EPS baseline ?

RSAAdmin · ‎2012-04-26

Could you guys share more configuration details about this alert which is capturing syslog flooding, please?

RSA enVision® Discussions

Stopping Syslog Flooding from Impacting Other Syslog Devices

RSA enVision^® Discussions