Prelude Correlator upper event limit
When a corrleated event such as Eventscan or Eventstorm contains large numbers of events, the Prewikka GUI times out and is unable to display the event details. On several test systems available to me, the threshold seemed to be around 5K events. This was discovered during a Nessus scan of monitored systems, where Nessus is scanning every port. Iptables is logging every blocked port, potentially generating many thousands of events during the window.
The ability to specify an upper limit in the Correlator rules for a given correlated event would be useful to prevent excessive messages in a single event.
#1 Updated by Yoann VANDOORSELAERE over 9 years ago
It would be interesting to have some information concerning the slow query generating this timeout. Could you please enable query logging using the following configuration directive:
Under the [idmef_database] Prewikka configuration section, and try to provides us information concerning the slow query when the mentionned condition occur?