AnsweredAssumed Answered

Funny problem: too many events

Question asked by Roman Zeltser on May 18, 2017
Latest reply on May 19, 2017 by Roman Zeltser

Most of us are trying to add more event sources to get better picture of what is going on on the wire. I have the opposite problem: I have too many events coming from Windows and Cisco parsers. This problem is causing the Alarm (see attachment 1). In fact, based on some research and browsing through the system, the volume of data is about 6-8 times bigger than allowed volume!

 

Just to show you the source of the problem (Cisco parser) that delivers plenty of meaningless data, see the attachment 2.

Similar stream of meaningless data comes from Windows devices.

The question is how to decrease the volume of useless data on the Netwitness side without editing the parsers (as it may be very intrusive)? What do you do if you need to filter some of the data down to analyze the only meaningful ones?

Attachments

Outcomes