HP Integrity rx1620 Server 1.30 GHz Base System AB430A Fascicule
Codes de produits
AB430A
Event storage limited by capacity
The amount of event data stored is often limited by the available RDBMS storage capacity and load
The amount of event data stored is often limited by the available RDBMS storage capacity and load
rules. When event storage reaches a pre-defined threshold, the oldest events are purged until event
storage falls below the threshold. This strategy guarantees control over the amount of data stored and
storage falls below the threshold. This strategy guarantees control over the amount of data stored and
load rate achieved. But it sacrifices a predictable time range for available event data. A spike in
activity would effectively reduce the time range of event data available for analysis.
Example: To catch low-and-slow attacks, the storage policy is changed from a one-week to a
three-month retention period. The RDBMS capacity is increased by 1,200 percent by purchasing
three-month retention period. The RDBMS capacity is increased by 1,200 percent by purchasing
additional disk capacity. But, the event data load rate declines to the point where load rate
cannot keep pace with the event data creation rate. Moreover, the increased capacity does not
hold three months of event data because of an unanticipated non-linear increase in space
required for indices. As a result, the expected time span of collected data is not achieved, and
required for indices. As a result, the expected time span of collected data is not achieved, and
low-and-slow attacks can still remain undetected.
Two-tier storage architecture
To alleviate the high cost of RDBMS storage, aged events can be removed from the database and
To alleviate the high cost of RDBMS storage, aged events can be removed from the database and
archived into lower-cost compressed storage. Should events from the archive be needed, they must be
uncompressed and restored to the database. Removal and restoration of the event data from an
uncompressed and restored to the database. Removal and restoration of the event data from an
RDBMS database is time consuming. It creates resource contention with other operational data
loading, and may be manual operations require the database administrator and system-administration
resources. Also, compression algorithms are not sensitive to the repetitive nature of event field data
and, therefore, only achieve standard compression ratios. While a two-tier strategy is a good
and, therefore, only achieve standard compression ratios. While a two-tier strategy is a good
approach for Information Lifecycle Management (ILM), it is not a substitute for having adequate online
event data storage.
Time-based database segregation
To mitigate geometric degradation of event data loading performance, one can segregate event data
into separate time-ranged databases. This effectively creates an event-time-based meta-index
To mitigate geometric degradation of event data loading performance, one can segregate event data
into separate time-ranged databases. This effectively creates an event-time-based meta-index
maintained by the user. It does create a sustainable minimum event data loading rate. However, part
of the search optimization burden is now shifted to the user. Searching is now more complex and one
has to consider which databases to search. What was once a single search must now be manually
broken up into multiple searches, and the results manually aggregated.
broken up into multiple searches, and the results manually aggregated.
10