Using the Events Per Second Rule Setting

The Events per second setting allows for disabling or throttling of event logs for specific threat protection rules. The default value is one and the maximum value is 700. NIOS displays an error message when you enter a value greater than the maximum value. You can override this event filter at the member level. 

Setting the Events per second parameter to zero disables logging for that rule. Setting the parameter to any other number enables threat protection logging for that specific rule. For information about how to configure this, see Configuring Grid Security Properties.

Make note of the following guidelines when you enter a value in the Events per Second per Rule field:

• The value of this field is applicable only for rules that do not have event-filter as part of their format. The following is an example of a rule that has event-filter in its format:
  drop udp any any -> any 53 (msg:"EARLY DROP UDP DNS named author attempts"; content:"|07|authors|04|bind|00|"; offset:12; sid:110100100; rev:1;) event_filter gen_id 1, sig_id 110100100, type limit, track by_src, count 1, seconds 1
• For rules that have event-filter as part of their format, the event-filter precedes the value in the Events per Second per Rule field.
• Therefore, for rules that have event-filter as part of their format, to disable event logging for Threat  Protection, you must disable it at the rule-level by modifying the syslog file. For rules that do not have event-filter as part of their format, to disable event logging for Threat Protection, set 0 in the Events per Second per Rule field.