Reducing correlation and message load
BMC Defender Server can continuously accept 2000 or more messages per second and handle much larger bursts of messages for a short period of time. The exact number of messages and events per second (EPS) depends on multiple factors such as the number of correlation threads and CPU power of the host platform.
Often only a small fraction of these messages are actually pertinent or necessary for security compliance. In particular, redirecting all firewall data at BMC Defender Server can quickly make the program difficult to use because so little data is security event data that is pertinent for security management. BMC Defender Server provides a unique method for reducing the message and correlation load, especially applicable to firewall data, but also important for many other types of devices and messages. Using the BMC Defender Filter facility, you can arbitrarily redirect messages away from the main message stream into Auxiliary files.
If the Messages > Search screen is filled with non-pertinent messages of a particular type (such as firewall data, or any other message that repeats in a similar fashion for many pages of data) you can reduce the message load as described in the following procedure.
To reduce correlation and message load
- Log on to the BMC Defender Server system and click the Messages > Search tab at the top of the screen. This displays a list of incoming messages. The most recent messages are listed first.
On the Messages > Search screen, inspect the list of messages to see if there are many messages with common keywords that look like candidates for redirection to the auxiliary files. You can use the Search function to find the common keywords and data characteristics.
- Click the Messages > Config > Filters tab to display the list of filters on the system. (Initially no filters are configured).
- Click AddNew to add a new filter to the system.
- On the Add New Filter screen, enter the match keyword, device address, and message severity noted in Step 2. The data should be specific enough to filter only non-pertinent messages. For instance, it might not be sufficient to filter only by keyword (since a remote chance might exist that the keyword appears in interesting messages that should be left unfiltered).
On the Add New Filter screen, select the Aux-1 filter file as the Filter Output file.
- Click Save to save the filter setting. The new filter appears on the top-level Filters screen.
- Repeat steps 2 through 7, as needed, to reduce the number of non-pertinent messages. BMC Defender Server can accept up to 1000 different filters. Each filter can redirect data to the same file, or different files. For instance, there may be various filters redirecting to the Aux-1 file.
- When all filters have been configured, click the Messages > Aux tab to display the current Auxiliary files. The auxiliary files appear in the list of files, along with the size and message count of each file.
- Optionally, click Advanced at the top of the Aux display and provide a descriptive title for each Aux file, such as Firewall Data, or Miscellaneous Messages. This optional step can clarify the purpose and intent of the Aux file data filters.
Once an Aux file has been defined, the Size and Count fields on the Messages > Aux screen begin to increment, showing that messages are being redirected to this file. You can click on the Aux Filter File hyperlink to view recent messages or to search messages. You can click the Reports > Query function to run more complex queries across one or more Aux files.
If you want to retain the Aux file is in the archive, the administrator must navigate to Messages > Config > Parms and set the Archive Filter Data setting to Yes. With this setting, the auxiliary data is compressed and placed into the archive before it is deleted each night.