Sentinel 7.3.0

I am wondering how and when EPS is calculated in Sentinel. I'm assuming
it's pre filtering? If I filter on the connector or collector, are those
events I filtered still counted towards the EPS for that connector?

My issue is we have a few busy firewalls that I am trying to filter some
events for on the event sources directly. Their EPS has dropped when I
look in the Event Sources view in the Web GUI but not when it comes to
the overall EPS under Licenses. When I do a 1 week search for all events
and work out the EPS it tallys with what I am seeing in the Event
Sources section on the Web GUI also but again the overall EPS is way off
what is being reported.

Does the filtering have to happen on the firewall itself? If so that
could be problematic as I can't turn off logging on the rules themselves
as other systems capture those logs also.



rochfordp's Profile: https://forums.netiq.com/member.php?userid=6749
View this thread: https://forums.netiq.com/showthread.php?t=53928