Administration Guide › Suppression and Summarization › Suppression and Summarization Rules Tasks › Suppression Rule Effects

Suppression Rule Effects

During planning, you may want to consider the effect of suppression rules, which prevent events either from being inserted into the event log store or collected by a connector. Suppression rules are always attached to a connector. You can apply suppression rules at either the agent or group level, or at the CA User Activity Reporting Module server itself. The placement locations have different effects:

• Suppression rules applied at the agent or group levels prevent events from being collected and thus reduce the amount of network traffic sent to the CA User Activity Reporting Module server.
• Suppression rules applied at the CA User Activity Reporting Module server prevent events from being inserted into the database and thus reduce the amount of information being stored.

There are potential performance considerations in applying suppression rules to events after they arrive at the CA User Activity Reporting Module server, especially if you create multiple suppression rules or the event flow rate is high.

For example, you might want to suppress some of the events from a firewall or from some Windows servers that produce duplicate events for the same action. Not collecting these events can speed up the transport of the event logs you do want to keep, and saves processing time on the CA User Activity Reporting Module server. In such cases, you would apply one or more appropriate suppression rules on agent components.

If you want to suppress all events of a certain type from multiple platforms or across your entire environment, you would apply one or more appropriate suppression rules at the CA User Activity Reporting Module server. Evaluation of events with regard to suppression occurs when events arrive at the CA User Activity Reporting Module server. Applying a large number of suppression rules at the server may lead to slower performance as the server must apply suppression rules in addition to inserting events into the event log store.

For smaller implementations, you can perform suppression at the CA User Activity Reporting Module server. You may also choose to apply suppression at the server for deployments where summarization (aggregation) is in use. If you are only inserting a few of the events from an event source that generates large amounts of event information, you may still choose to suppress unwanted events at the agent or agent group level to save processing time on the CA User Activity Reporting Module server.