When a correlation rule fires, it creates a correlated event and the corresponding trigger events are associated with the correlated event. If the correlation rule is defined to execute the associated action at specified intervals, Sentinel creates only one correlated event and for all subsequent firings of the rule in the specified interval, it updates all the trigger events to the existing correlated event. In such a case, if the correlation rule is not written carefully, the correlated event will be associated with a large number of trigger events, which might impact the Sentinel server stability.
To limit the number of updates to the correlated event, you can define the maximum number of trigger events to be associated with the correlated event. The default limit is 100. When the number of trigger events exceed the defined limit, the correlated event is not further updated with the trigger events. Sentinel generates the audit event, CorrelatedEventUpdate, to indicate the suppression of further correlation updates.
To define the maximum number of trigger events to be associated with a correlated event, set the maxCorrelationEventUpdates property in the /etc/opt/novell/sentinel/config/server.xml file to the desired value. For more information about modifying the server.xml file, see Maintaining Custom Settings in XML Files.