Traffic is not being loaded for events or incidents

Problem

Cannot load traffic for the selected events and/or incidents. The events table either does not display the tools for loading traffic (for example, the Load traffic for the event button is missing from the details area when one event is selected), or displays the message No traffic for the selected events (when attempting to load traffic).

Solution

Saved traffic for the selected events and/or incidents may be missing for one of the following reasons:

• The traffic was not saved.
• The traffic was deleted from the database.

The application saves traffic during event registration if the saving of traffic is enabled for the specific type of event. By default, saving of traffic is disabled for all types of events. You can enable and configure the saving of traffic for relevant types of events.

You cannot enable saving of traffic for event types that are registered as incidents (event type codes: 8000000000, 8000000001, 8000000002 and 8000000003). To save traffic associated with incidents, you need to enable the saving of traffic for the types of events that result in registration of incidents.

Various event types may be used to register incidents. The utilized event types are determined by event correlation rules. However, event correlation rules may be changed when application updates are installed.

You can determine the approximate composition of event types used for incidents by viewing events in previously registered incidents. However, the list of event types obtained in this way will be incomplete. Other types of events may be used in subsequently registered incidents (for example, due to changes in correlation rules after installation of updates). If you want the application to always save traffic for all events within incidents, you can enable the saving of traffic for all system event types (for which it is possible to enable saving of traffic).

The application deletes saved traffic for registered events when one of the traffic storage limits is reached (for example, upon reaching the maximum volume of saved traffic in the database). Traffic packets that were saved before other packets are deleted from the database. If saved traffic is deleted too quickly and you do not have time to load it for relevant events, you can increase the maximum values of traffic storage settings.

Page top