Every now and again we exceed our EPS and hence events are dropped. I am trying to determine the offending device(s) and events which are generating larger than normal events at these times. What would be the best way to do this?
Run a report that looks that the NIC message 508100. It should give you the number of messages for each device that you are receiving. It is probably a Firewall, Web Server, MSSQL, Web Proxy, Router, Domain Controller or something like that.
Use the Event Explorer EPS chart and create different queries (in terms of devices and messages) to track down the exact culprit device and the bulk of messages causing the issue.
There is no practical or easy way to do this. This is my organizations biggest issue with enVision. Event Explorer technically can make some EPS trends but event explorer is a big hassle to get running and there's no way to create a per device rule based on peak EPS. There's lsdata and the event viewer graph view but both return inaccurate incomplete results.Here are the 3 applicable RFEs I submitted. Feel free to reference them with Technical Account Managers to try to get them made a higher priority.- Events per second lsdata output table being able to be generated from within enVision GUI and have peak eps capability. 1) A tabular report that can be run on NIC_ALL to show when a pre-set EPS per device has been exceeded for set intervals. 2) Pre-set peak EPS per device/device group so that an alert can be based off of this. 3)Under Graph View – Event Types by Time, “Device” being added as a data type. 4) New error code similar to 508100 that will be based on per second and not per minute, should show peak eps and correspond correctly with the peak eps under System Performance.ESE-504- Breaking down 508100 by device in a report by events per second.ESE-645- There should be the ability to limit eps per device/device group/subnet. If a firewall being collected from is DDoSed or has a misconfiguration issue causing 130% of total eps to be maxed out, other devices even outside the subnet will not be able to be collected from. ESE-503
Retrieving data ...