Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Documentation Search

    Configuring Log Suppression (NSM Procedure)

    You configure log suppression if you want to reduce the number of logs displayed in the NSM log viewer. If you enable log suppression, NSM displays a single record for multiple occurrences of similar events, along with a count of all such occurrences. Logs that match all elements of a tuple but trigger different IDP rulebase rules are treated as non-similar events.

    Note: When examining log records where log suppression has been applied (logs for which counts are given), you might encounter difficulty analyzing any packet captures contained therein. This is because the packets might have different destination addresses, or even though tuples are matching, different patterns might match to a single custom signature.

    To enable and configure log suppression:

    1. In the NSM Device Manager, double-click the IDP Series device to display the configuration editor.
    2. Click Sensor Settings.
    3. Click Parameters.
    4. Complete the settings related to log suppression described in Table 1.

      Table 1: IDP Series Device Configuration: Log Suppression Settings



      Enable log suppression

      Log suppression is enabled by default. Use this setting to turn log suppression off and on.

      Include destination IPs when performing log suppression

      When log suppression is enabled, multiple occurrences of events with the same source IP, service, and matching attack object generate a single log record with a count of occurrences. If you enable this option, log suppression combines log records for events with the same destination IP.

      Number of log occurrences after which log suppression begins

      This number represents the number of identical log records received before suppression starts. The default is 1 (meaning log suppression begins with the first redundancy).

      Maximum number of logs that log suppression can operate on

      When log suppression is enabled, the IDP Series device must cache log records so that it can identify when multiple occurrences of the same event occur. This number represents the number of log records cached for this purpose. The default is 16,384 log records.

      Time (seconds) after which suppressed logs will be reported

      When log suppression is enabled, the IDP Series device maintains a count of multiple occurrences of the same event. This number represents the number of seconds that pass before IDP reports a single log entry containing the count of occurrences. The default is 10 seconds.

    Published: 2011-02-08