The following table shows the SmartConnector processing categories.
|
SmartConnector Type |
Effects of Limited Usage |
|---|---|
|
Syslog connectors |
Due to the nature of UDP (user datagram protocol, the transport protocol used by Syslog), these connectors can potentially lose events if the configurable event rate is exceeded. This is because the connector delays processing to match the event rate configured, and while in this state, the UDP cache may fill and the operating system drop UDP messages. |
|
SNMP connectors |
Similar to Syslog connectors, when the event rate is limited on SNMP connectors, they potentially lose events. SNMP is also UDP-based and has the same issues as Syslog. |
|
Database connectors |
Since connectors "follow" the database tables, limiting the event rate for database connectors can slow the operation of other connectors. The result can be an event backlog sufficient to delay the reporting of alerts by as much as minutes or hours. However, no events are lost, unless the database tables are truncated. After the event burst is over, the connector may eventually catch up with the database if the event rate does not exceed the configured limit. |
|
File connectors |
Similar to database connectors, file-based connectors "follow" files, so limiting their event rates also causes an event backlog. This can eventually force the connector to fall behind by as much as minutes or hours, depending on the actual event rate. Similarly, the connectors may catch up if the event rate does not exceed the configured rate. |
|
Proprietary API connectors |
These connectors' behavior depends on the particular API, (for example, OPSEC behaves differently than PostOffice and RDEP). But in most cases, there is no event loss unless the internal buffers and queues of the API implementation fill up. Therefore, these connectors work much like database or file connectors. |