AlertProperties
| Name | Default value | Type | Description |
|---|---|---|---|
| rsa.correlation.alert.keep-alive-time | 0 | long | The keepAlive time for threads |
| rsa.correlation.alert.max-alerts-queue-size | 10000 | integer | The max rabbitmq alerter queue size |
| rsa.correlation.alert.num-threads | 3 | integer | No. of threads to process |
| rsa.correlation.alert.respond-enabled | true | boolean | The respond is enabled globally |
| rsa.correlation.alert.respond-endpoint-severities | list | The list of severities which can be consumed by respond and are related to app-rules | |
| rsa.correlation.alert.retry-delay | 1 | seconds | retry time for each interval |
| rsa.correlation.alert.risk-score-severities | list | The list in severities which can be consumed by risk score and are related to app-rules | |
| rsa.correlation.alert.sleep-time | 1000 | long | The max time to sleep in thread |
| rsa.correlation.alert.statement-name-max-length | 128 | integer | The maximum length of the entire statement @Name |
| rsa.correlation.alert.statement-name-place-holder-max-length | 64 | integer | The maximum length for each place holder value in the statement @Name |
| rsa.correlation.alert.timeout-retry-policy | 3650 | seconds | Retry time in seconds for total timeout |
| rsa.correlation.alert.total-threads | 10 | integer | The total number of threads in the pool |
| rsa.correlation.alert.transient-enabled | true | boolean | The transient is enabled globally. Currently used only for key-value rule and not in basic rule |
ContextHubProperties
| Name | Default value | Type | Description |
|---|---|---|---|
| rsa.correlation.contexthub.data-expired-in-seconds | 5 | integer | The duration of time before the ContextHub content is too old and need to be re-retrieved. |
| rsa.correlation.contexthub.file-backed-dir | string | Location on local disk where to store the paged files. | |
| rsa.correlation.contexthub.mapped-memory-size | 0 | integer | Total number of bytes of data that are kept in memory. |
| rsa.correlation.contexthub.page-file-size | 4096 | integer | The size of each paged file stored on local disk. |
DebugProperties
| Name | Default value | Type | Description |
|---|---|---|---|
| rsa.correlation.debug.actions | string | ||
| rsa.correlation.debug.enabled | false | boolean | |
| rsa.correlation.debug.resource-ids | string |
EndpointProperties
| Name | Default value | Type | Description |
|---|---|---|---|
| rsa.correlation.endpoint.app-rules-paths | list | {@link List} of Endpoint App Rules candidate paths of the resource file. | |
| rsa.correlation.endpoint.enabled | true | boolean | {@code true} if Endpoint Rules processing is enabled. |
EngineProperties
| Name | Default value | Type | Description |
|---|---|---|---|
| rsa.correlation.engine.auto-start | true | boolean | Determines if all {@link Engine} should start on service deployed. |
| rsa.correlation.engine.concurrent-deployment | 10 | integer | Number of asynchronous Engine deployment Tasks. |
| rsa.correlation.engine.send-event-heart-beat-frequency | 1 | seconds | Log send Event heartbeat frequency. |
| rsa.correlation.engine.startup-error-retry-interval | 10 | seconds | Retry interval if error occurs during startup. |
EsperProperties
| Name | Default value | Type | Description |
|---|---|---|---|
| rsa.correlation.esper.background-metrics-enabled | true | boolean | Set to {@code false} to get Esper metrics on demand. |
| rsa.correlation.esper.background-metrics-frequency | 5 | seconds | How often should the background Esper metrics process should be performed. |
| rsa.correlation.esper.config-resource | classpath:esper/esper-config.xml | string | Esper Configuration xml Resource. |
| rsa.correlation.esper.enable-statement-metric | false | boolean | Set true if esper Metrics needs to be enabled. By default it is set to false by Esper. Making it true will allow to capture additional esper-metrics but note that activating Esper metrics may cause performance impacts |
| rsa.correlation.esper.snapshot-dir | string | RSAPersist snapshot directory. | |
| rsa.correlation.esper.snapshot-frequency | 5 | seconds | Taking snapshot periodic duration. |
| rsa.correlation.esper.use-external-clock | true | boolean | {@code true} for Esper to process CurrentTimeEvent. |
FileMapProperties
| Name | Default value | Type | Description |
|---|---|---|---|
| rsa.correlation.filemap.file-backed-dir | string | Location on local disk where to store the paged files. | |
| rsa.correlation.filemap.page-file-size | 4096 | integer | The size of each paged file stored on local disk. |
| rsa.correlation.filemap.total-memory-size | 0 | integer | Total number of bytes of data that are kept in memory. |
GeoIpProperties
| Name | Default value | Type | Description |
|---|---|---|---|
| rsa.correlation.geoip.city-resource | string | The City database Resource. | |
| rsa.correlation.geoip.local-dir | string | Local store folder where to store the database files. | |
| rsa.correlation.geoip.org-resource | string | The Organization database Resource. |
HealthProperties
| Name | Default value | Type | Description |
|---|---|---|---|
| rsa.correlation.health.check-every | 15 | seconds | The |
| rsa.correlation.health.fatal-percentage | 90 | integer | The percentage of memory consumption at which it is considered to be in fatal state |
| rsa.correlation.health.health-check-id | memory-check | string | The name which is required to set the HealthCheck |
| rsa.correlation.health.warning-percentage | 80 | integer | The percentage of memory consumption at which it is considered to be Warning in Warning state |
MetricProperties
| Name | Default value | Type | Description |
|---|---|---|---|
| rsa.correlation.metric.collectd-max-value-length | 64 | integer | CollectD field value maximum length. |
RuleProperties
| Name | Default value | Type | Description |
|---|---|---|---|
| rsa.correlation.rule.fired-rules-heart-beat | integer | Number of permits for a duration. | |
| rsa.correlation.rule.fired-rules-heart-beat-every | 1 | seconds | A length of time to apply the permits. Minimum of 1 second and max at 1 day. |
| rsa.correlation.rule.log-fired-rules | false | boolean | Should we log the rules as soon as it fired with the relevant events. |
| rsa.correlation.rule.max-constituent-events | 0 | integer | Maximum number of Events in the List sent to AlertManager. |
StatsProperties
| Name | Default value | Type | Description |
|---|---|---|---|
| rsa.correlation.stats.days-to-keep-stats-file | 3 | integer |
StreamProperties
| Name | Default value | Type | Description |
|---|---|---|---|
| rsa.correlation.stream.batch-size | 0 | integer | Controls how many records do we ask for at a time. |
| rsa.correlation.stream.buffer-size | 0 | integer | Controls the number of records the stream can keep outstanding. |
| rsa.correlation.stream.check-supply | false | boolean | Should this source check for supply |
| rsa.correlation.stream.collection-duration-in-minutes | 0 | integer | For query based aggregation this parameter determines if it should operate on continuous mode or finite mode. By Default it is 0 which means continuous mode. CollectionDuration should be specified in minutes. |
| rsa.correlation.stream.compression | 0 | integer | The number of bytes in each message before it will be compressed. Zero is no compression at all. range:0 to 131071 |
| rsa.correlation.stream.compression-level | 0 | integer | The level of compression. 1 is fastest and 9 is the best compression. A value of zero means pick the best balance between speed and compression. range:0 to 9 |
| rsa.correlation.stream.connection-time-out | 0 | integer | Override connection timeout in sources. Only if greater than 0. |
| rsa.correlation.stream.default-multi-valued | list | New multi-valued fields for this version. These fields should all be migrated to multi-valued with Rule changes. A warning message will be logged if multi-valued does NOT contain all of these fields. | |
| rsa.correlation.stream.default-single-valued | list | New single-valued fields for this version. These fields should all be migrated to single-valued with Rule changes. A warning message will be logged if single-valued does NOT contain all of these fields. | |
| rsa.correlation.stream.dots-to-underscores | true | boolean | Choose if we want to translate "user.dst" to "user_dst". |
| rsa.correlation.stream.event-source-id | false | boolean | Controls whether we need to add the event source identifier (ESA compatibility) |
| rsa.correlation.stream.filter | string | Filter to be sent across to the source | |
| rsa.correlation.stream.idle-retry-interval | 0 | integer | Controls how long to wait (in milli-seconds) before retrying an idle source. |
| rsa.correlation.stream.lag-time | 15 | seconds | Lag time is the expected time an event takes to pass through the different levels of capture/parse etc and become available to query in the concentrator. |
| rsa.correlation.stream.lowercase | list | Choose if the fields to translate to lower case | |
| rsa.correlation.stream.max-sessions | 0 | integer | Controls the number of sessions in a batch |
| rsa.correlation.stream.mechanism | string | NextGen core devices send and receive type 'AGGREGATION' or 'QUERY'. | |
| rsa.correlation.stream.minutes-back | 5 | integer | Controls how far back in time should we go for a fresh start. |
| rsa.correlation.stream.multi-valued | list | Choose the fields considered as multi-valued. | |
| rsa.correlation.stream.multi-valued-as-array | false | boolean | {@code true} to convert multi-valued Collection to Array. |
| rsa.correlation.stream.no-system-meta | false | boolean | Controls the addition of system meta to records. |
| rsa.correlation.stream.pre-fetch | 0 | integer | Controls how many batches to pull and keep ready in anticipation of demand |
| rsa.correlation.stream.query | string | Query Based RecordStream select clause for all sources. | |
| rsa.correlation.stream.reader-buffer-size | 1048576 | integer | |
| rsa.correlation.stream.retrieve-record-stream-stats-every | 2 | seconds | How often should the {@code RecordStream} status be retrieved. |
| rsa.correlation.stream.retrieve-schema-every | 5 | seconds | A length of time to apply the permits. Minimum of 1 second and max at 1 day. |
| rsa.correlation.stream.retrieve-schema-frequency | 1 | integer | Number of permits for a duration. |
| rsa.correlation.stream.retry-timeout | 0 | integer | Controls how long to wait (in milli-seconds) before retrying a failed source. |
| rsa.correlation.stream.save-position-every | 1 | seconds | A length of time to apply the permits. Minimum of 1 second and max at 1 day. |
| rsa.correlation.stream.save-position-frequency | 1 | integer | Number of permits for a duration. |
| rsa.correlation.stream.single-valued | list | Uses by Rules deployment process to ensure that these fields are not be treated as multi-valued. | |
| rsa.correlation.stream.socket-timeout | 0 | integer | Override socket timeout in sources. Only if greater than 0. |
| rsa.correlation.stream.source-poll-interval | 0 | integer | Controls the parameters passed to {@code RecordSourceSubscription}. |
| rsa.correlation.stream.start-session-id | 0 | long | Override StartSession Id in sources for debug purposes. Only if greater than 0. |
| rsa.correlation.stream.tcp-no-delay | false | boolean | |
| rsa.correlation.stream.thread-pool-size | 0 | integer | Controls the size of the thread pool used the stream executor. Default to 100. |
| rsa.correlation.stream.time-batch-in-seconds | 0 | integer | Determines the batch size for the query based aggregation in seconds. By default it will be a 60 second window. This for now will not be configurable for user. This is because concentrator operates most efficiently when the time window is a minute. |
| rsa.correlation.stream.time-measured-in-seconds | true | boolean | {@code true} if time meta is measured in seconds in the event. |
| rsa.correlation.stream.time-meta-field | time | string | Decides what field should be used for time. |
| rsa.correlation.stream.time-order-by-field | string | Controls the name of the field that we consider the timestamp. This must be a long value. | |
| rsa.correlation.stream.time-order-hold-interval | 0 | integer | To order records from multiple sources, we need to allow some "hold" time for sessions within a time window to arrive from all sources. This parameter specifies the hold interval (in milli-seconds) |
| rsa.correlation.stream.time-order-no-inflow-give-up-interval | 0 | integer | Controls the interval (in milliseconds) after which we take a "quiet" source out of the equation to allow progress on a time ordered stream. The default value is 0, which implies that we wait forever for events to arrive. |
| rsa.correlation.stream.time-order-offline-give-up-interval | 0 | integer | Controls the interval (in milli-seconds) after which we take an offline source out of the equation to allow progress on a time ordered stream. The default value is 0, which implies that we wait forever. This parameter does not affect the re-connection retries; those which are performed in all cases. |
| rsa.correlation.stream.time-ordered | false | boolean | Enables source time synchronization and ordering. |
| rsa.correlation.stream.use-event-time-for-esper | false | boolean | {@code true} to use the timeMetaField in the Event for Esper CurrentTimeEvent. |
ServiceProperties
| Name | Default value | Type | Description |
|---|---|---|---|
| rsa.correlation.version | string | Project version. |
MigrationProperties
| Name | Default value | Type | Description |
|---|---|---|---|
| rsa.migration.home-data-path | /var/netwitness/esa | string | The location of ESA home directory |
RecordStreamMetrics
| Name | Default value | Type | Description |
|---|---|---|---|
| rsa.records.stream.version | string |
