100,00 event limit not large enough...

This is an interesting topic.  Due to STIG's and 800-53 security controls I get a LOT of events per minute.  I'm interested in hearing more about dealing with many events and best ways to use SEM search and reporting features.  I worked with UX team on replacement for Crystal Reports.  What do you modify in your SEM to assist with audits?  Are there some tricks to queries you've found?

Bill

This is an interesting topic.  Due to STIG's and 800-53 security controls I get a LOT of events per minute.  I'm interested in hearing more about dealing with many events and best ways to use SEM search and reporting features.  I worked with UX team on replacement for Crystal Reports.  What do you modify in your SEM to assist with audits?  Are there some tricks to queries you've found?

Bill

The first way  I found to find reports that contain the dataset you want for example failed login attempts.

Select the time range for the report

with keywords from Crystal reports by finding a report that has the information you require. Run the report please note I have these reports scheduled to run every day for certain requirements.  I would select the short date range at first as I customize the report later with keywords. I recommend a computer with 32 GB ram and for running the report and good network connection for better performance.

After the report is run you then Customize the report with keywords under the view tab select expert add variable keyword you want to search by.

Here is a URL for custom Reports

documentation.solarwinds.com/.../sem-create-custom-filtered-report.htm

The second way using the HTML 5 interface is to layer filters for the required information.

I start using a live filter for information considering this is constant piping in data this gives you a quasi-real-time look at rules without memory usage too much. 

After narrowing down the filter rules you can covert the filter into a rule and search the still same 100K of data but filter to the data you're looking for.  

Then you can search for the rule firing without having to type a lengthy search command. 

Realistic 100K of events is more than needed if know what you're looking for.  You should know the location of the information you require some limited to the source via destination IP or tool alias.  If it is the main firewall for example is this broken down by ports, tcp/udp, possible url or IP address.  

Even large enterprise program like Cisco Firepower has a limitation on searching  I have found.  I use SolarWinds SEM a summary of events compared to detailed events as which I will retrieve review the original log source that is still available for more information.

If Storage is not proper I also recommend enabling at the connection level a copy of RAW and Parsed data for more details if required.