I'm attempting to log RNA flows with the eStreamer app, but it looks like the eStreamer client cannot keep up with the amount of data sent. Would it be possible to thread the app or setup multiple collections, with one going after IPS events, one after RNA events?
Alternatively, it looks like i will have to turn down the amount of logging I do to only include security intel feeds (and maybe a few other access policy rules). I like the idea of being able to go back and search any connection that has gone through the IPS.
Thank you!
Brandon,
Yeah I knew with flow collection that the sheer volume would be a problem, part of the reason the Settings screen warns about latency. Also part of the reason I didn't support it initially. In any case, I'll certainly be looking at ways to improve performance moving forward and threading is likely one of those ways. Thanks for the feedback.
Colin
Brandon,
The just released 2.1 version now pushes connection log collection into a separate process to improve collection and processing times and to reduce the possibility of introducing latency into intrusion and other events. I strongly suggest you give the new version a shot -- and please feel free to reach out with any feedback you may have.
Thank you!
Colin
Brandon,
Yeah I knew with flow collection that the sheer volume would be a problem, part of the reason the Settings screen warns about latency. Also part of the reason I didn't support it initially. In any case, I'll certainly be looking at ways to improve performance moving forward and threading is likely one of those ways. Thanks for the feedback.
Colin
Thanks! Its a huge step forward having the ability to collect these logs, it just means i have to reduce what is logged at the defense center level. Not a huge deal.
Being able to get Security intel blocks and any other access policy blocks is a real big improvement.
Thanks for the work you guys put in on this!