Real-Time Monitoring Process (agent-side rule)
- An event is matched;
- The Intrust agent adds the alert to its outbound buffer (a 10MB file buffer);
- The Intrust agent removes the alert from the outbound buffer andsends it to the local agent;
- The agent on the Intrust server (server-side agent) places the alert in a per-agent buffer (a 1MB file buffer);
- When the per-agent buffer is full the server-side agent logs a 'buffer overflow' event and stops accepting alerts from that Intrust agent, until 50% of the buffer is free. When the buffer drops to 30% full, a 'buffer overflow resolved' event is logged.
- The remote Intrust agent continues to try to re-send the alert ;
- The Real-Time Monitoring service reads the alert from the per-agent buffer and places it in another buffer ('4k' buffer), which can store approximately 4000 alerts and resides in the RTM service memory.;
- The alert is then written to the Alerts database.
Real-Time Monitoring Process (server-side rule)
- An event occurs on the agent -side;
- The Intrust agent matches the rule's pre-filter;
- The Intrust agent forwards the alert to the server-side agent (using the process described for agent-side rule processing);
- The Real-Time Monitoring rule matches the complete rule (both pre-filter and body);
- The RTM Service stores the alert in the '4k' buffer and executes response action. If the '4k' buffer is full:
response action does not get executed;
the alert does not get stored in the alerts db.