Alert and packet log capacity when the Manager is unavailable
Last Modified: 1/19/2024
Affected Products
Languages:
This article is available in the following languages:
Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.
As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."
Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Trellix Advanced Research Center analyzes threat data on ransomware, nation-states, sectors, vectors, LotL, MITRE ATT&CK techniques, and emails.
As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
Alert and packet log capacity when the Manager is unavailable
Technical Articles ID:
KB59302
Last Modified: 1/19/2024 Environment
Trellix Intrusion Prevention System
SummaryWhen the Sensor and Manager fail to communicate, alert and packet log data are moved from the buffer to a file in flash memory locally on the Sensor.
You can use the The Sensor models have the storage capacity of flash memory as follows:
When the flash capacity is filled up, the Sensor starts storing alerts in the buffer. The Sensor drops new alerts if the buffer fills up before connectivity is restored. The Sensor continues to block attacks irrespective of the Sensor connectivity with the Manager if blocking is enabled.
When the connection between the Sensor and Manager is re-established, the stored or queued alerts are forwarded to the Manager from flash, followed by the Alert Buffer in memory. The buffer has subbuffers for each alert type. According to its alert type, alerts are stored in a specific subbuffer.
The following table shows the number of each alert type that can be stored in the buffer on the Sensor based on the Model type:
*The number of Signature-based Alerts for M-1250 and M-1450 is 25,000. The number of Signature-based Alerts for M-2750 is 50,000. NOTE: These figures aren't absolute and are provided only as a general guideline. The actual number of alerts that can be stored in the buffer can differ based on the size of the alerts. If the average size of the alerts is larger than usual, the buffer is filled with a lesser number of alerts. Similarly, if the average size of the alerts being generated is smaller than usual, a greater number of alerts is stored. Affected ProductsLanguages:This article is available in the following languages: |
|