This section provides information about configuring the default alert generation settings to maintain the stability and optimize performance of Sentinel if large number of alerts are triggered by correlation rules.
When a correlation rule fires, which is configured to create an alert, the correlation engine generates the alert and sends it to Sentinel. By default, Sentinel limits the rate of alerts generation in the local or remote correlation engine to 0.5 alerts per second. To customize the rate of alert generation in the correlation engine, modify the following parameter in the configuration.properties file:
sentinel.alert.max.ratepersec=.5
If the alert generation rate is increased to more than 0.5 alerts per second, the correlation engine stores the additional alerts in a queue. The maximum number of alerts that can be stored in the queue is 10,000. If the number of alerts stored in the queue exceeds the limit, Sentinel starts dropping the alerts and generates an audit event. Increasing the rate of alert generation might impact the overall Sentinel performance. You can view the updated queue size information in the Sentinel Main interface > Storage > Health > General Information section.
To view the audit event, search the query (evt:BufferOverLimit) AND (sres:Alert-Buffer) in the search interface. After the alerts queue limit is reached, Sentinel generates audit events every ten minutes. The audit events provide information about the number of alerts dropped after a specific time interval and the total number of dropped alerts so far. You can customize the frequency of audit events creation by adding the following parameter in the configuration.properties file:
sentinel.pqueue.audit.interval= <time in seconds>