When the Sensor and Manager fail to communicate, alert and packet log data are moved from the buffer to a file in flash memory locally on the Sensor.
You can use the
show savedalertinfo command on the Sensor CLI to show the number of saved events and their size.
The Sensor models have the storage capacity of flash memory as follows:
| Model Series |
Memory
For Alert logs |
Memory
For Packet logs |
| M Series |
16 MB |
16 MB |
| NS Series |
128 MB |
128 MB |
| VM Series |
128 MB |
128 MB |
When the flash capacity is filled up, the Sensor starts storing alerts in the buffer. The Sensor drops new alerts if the buffer fills up before connectivity is restored. The Sensor continues to block attacks irrespective of the Sensor connectivity with the Manager if blocking is enabled.
When the connection between the Sensor and Manager is re-established, the stored or queued alerts are forwarded to the Manager from flash, followed by the Alert Buffer in memory.
The buffer has subbuffers for each alert type. According to its alert type, alerts are stored in a specific subbuffer.
The following table shows the number of each alert type that can be stored in the buffer on the Sensor based on the Model type:
|
Type of Alert
|
Number of Alerts
(M Series) |
Number of Alerts
(NS Series) |
Number of Alerts
(VM Series) |
|
Signature-based Alerts
(with no Layer7 data)
|
100,000* |
400,000 |
50,000 |
|
Signature-based Alerts
(with Layer7 data)
|
50,000* |
200,000 |
25,000 |
|
Throttled Alerts
(with Source and Destination IP address)
|
2,500 |
2,500 |
2,500 |
|
Compressed Throttled Alerts
(Alerts with no Source and Destination
IP address information)
|
2,500 |
2,500 |
2,500 |
|
Statistical or Anomaly DoS
|
2,500 |
2,500 |
2,500 |
|
Threshold DoS Alerts
|
2,500 |
2,500 |
2,500 |
|
Host Sweep Alerts
|
1,000 |
1,000 |
1,000 |
|
Port Scan Alerts
|
1,000 |
1,000 |
1,000 |
*The number of Signature-based Alerts for M-1250 and M-1450 is 25,000. The number of Signature-based Alerts for M-2750 is 50,000.
NOTE: These figures aren't absolute and are provided only as a general guideline. The actual number of alerts that can be stored in the buffer can differ based on the size of the alerts. If the average size of the alerts is larger than usual, the buffer is filled with a lesser number of alerts. Similarly, if the average size of the alerts being generated is smaller than usual, a greater number of alerts is stored.
