Is there any limit to the number of keywords that are populated in the Query page of CS-MARS when I perform events lookup from an access rule that supports hashcodes?
A. Because Security Manager uses the hashcodes of the ACEs on devices that support them to uniquely query for syslogs generated by the ACE in CS-MARS, large access rules might contain thousands of such hashcodes contained in them. These hashcodes are displayed as keywords in the query criteria. If the number of keywords or the sum of the number of sources, destinations, and protocols for an ACE or a signature exceeds the permissible limit of 150, an error message is displayed in CS-MARS. The error message displays the possible cause and recommended action.
Related Questions
- My CS-MARS Local Controller is administered by a Global Controller. Can I perform policy lookup for events generated on the Local Controller from the Global Controller interface?
- Is there any limit to the number of keywords that are populated in the Query page of CS-MARS when I perform events lookup from an access rule that supports hashcodes?
- Am I returned to the Query Criteria page or the Query Results page on successful lookup of events from a policy?
