How to improve ASP performance by filtering out logs that don't match any rules
Last Modified: 2022-11-15 09:04:43 Etc/GMT
Affected Products
Languages:
This article is available in the following languages:
Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.
As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."
Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Trellix Advanced Research Center analyzes threat data on ransomware, nation-states, sectors, vectors, LotL, MITRE ATT&CK techniques, and emails.
As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
How to improve ASP performance by filtering out logs that don't match any rules
Technical Articles ID:
KB87331
Last Modified: 2022-11-15 09:04:43 Etc/GMT Environment
SIEM Enterprise Security Manager 11.x SIEM Event Receiver (Receiver) 11.x Problem
In the following conditions, the SIEM ASP parser might experience degraded performance due to the mismatching of logs:
Cause
Mismatched logs in a high event-per-second environment with many other rules enabled can cause large numbers of matching attempts in the ASP process. This high number of matches causes a degradation in performance.
SolutionPrevent the ASP process from parsing the logs that don't match by creating a filter.
The following example describes the steps to make a filter for the log:
After you configure this filter, any logs that contain the string -302023 won't be parsed, significantly improving the performance of the ASP process.
Affected ProductsLanguages:This article is available in the following languages: |
|