### AlertProperties

Name | Default value | Type | Description |
---|---|---|---|

rsa.correlation.alert.keep-alive-time | 0 | long | The keepAlive time for threads |

rsa.correlation.alert.max-alerts-queue-size | 10000 | integer | The max rabbitmq alerter queue size |

rsa.correlation.alert.num-threads | 3 | integer | No. of threads to process |

rsa.correlation.alert.respond-enabled | true | boolean | The respond is enabled globally |

rsa.correlation.alert.respond-endpoint-severities | list | The list of severities which can be consumed by respond and are related to app-rules | |

rsa.correlation.alert.retry-delay | 1 | seconds | retry time for each interval |

rsa.correlation.alert.risk-score-severities | list | The list in severities which can be consumed by risk score and are related to app-rules | |

rsa.correlation.alert.sleep-time | 1000 | long | The max time to sleep in thread |

rsa.correlation.alert.statement-name-max-length | 128 | integer | The maximum length of the entire statement @Name |

rsa.correlation.alert.statement-name-place-holder-max-length | 64 | integer | The maximum length for each place holder value in the statement @Name |

rsa.correlation.alert.timeout-retry-policy | 3650 | seconds | Retry time in seconds for total timeout |

rsa.correlation.alert.total-threads | 10 | integer | The total number of threads in the pool |

rsa.correlation.alert.transient-enabled | true | boolean | The transient is enabled globally. Currently used only for key-value rule and not in basic rule |

### ContextHubProperties

Name | Default value | Type | Description |
---|---|---|---|

rsa.correlation.contexthub.data-expired-in-seconds | 5 | integer | The duration of time before the ContextHub content is too old and need to be re-retrieved. |

rsa.correlation.contexthub.fail-on-retrieve-retry-count | 3 | integer | Number of times to retry when failed to retrieve data from ContextHub. |

rsa.correlation.contexthub.fail-on-retrieve-wait-between-retries | 5 | seconds | Wait duration between retries when failed to retrieve data from ContextHub. |

rsa.correlation.contexthub.fail-on-set-entries-wait-between-retries | 5 | seconds | Wait duration between retries when failed to add/delete entries to/from ContextHub. |

rsa.correlation.contexthub.file-backed-dir | string | Location on local disk where to store the paged files. | |

rsa.correlation.contexthub.mapped-memory-size | 0 | integer | Total number of bytes of data that are kept in memory. |

rsa.correlation.contexthub.notification-handler-thread-pool-size | 8 | integer | Number of concurrent notification handler threads. |

rsa.correlation.contexthub.page-file-size | 4096 | integer | The size of each paged file stored on local disk. |

rsa.correlation.contexthub.set-entries-thread-pool-size | 128 | integer | Number of RSAContext set entries concurrent Threads pool size. |

### DataPrivacyProperties

Name | Default value | Type | Description |
---|---|---|---|

rsa.correlation.data-privacy.global-private-fields | list | List of fields that are always removed from the output for data privacy, regardless of source |

### DebugProperties

Name | Default value | Type | Description |
---|---|---|---|

rsa.correlation.debug.actions | string | ||

rsa.correlation.debug.enabled | false | boolean | |

rsa.correlation.debug.resource-ids | string |

### EndpointProperties

Name | Default value | Type | Description |
---|---|---|---|

rsa.correlation.endpoint.app-rules-paths | list | {@link List} of Endpoint App Rules candidate paths of the resource file. | |

rsa.correlation.endpoint.enabled | true | boolean | {@code true} if Endpoint Rules processing is enabled. |

### EngineProperties

Name | Default value | Type | Description |
---|---|---|---|

rsa.correlation.engine.auto-start | true | boolean | Determines if all {@link Engine} should start on service deployed. |

rsa.correlation.engine.concurrent-deployment | 10 | integer | Number of asynchronous Engine deployment Tasks. |

rsa.correlation.engine.send-event-heart-beat-frequency | 1 | seconds | Log send Event heartbeat frequency. |

rsa.correlation.engine.startup-error-retry-interval | 10 | seconds | Retry interval if error occurs during startup. |

### EsperProperties

Name | Default value | Type | Description |
---|---|---|---|

rsa.correlation.esper.background-metrics-enabled | true | boolean | Set to {@code false} to get Esper metrics on demand. |

rsa.correlation.esper.background-metrics-frequency | 5 | seconds | How often should the background Esper metrics process should be performed. |

rsa.correlation.esper.config-resource | classpath:esper/ | string | Esper Configuration xml Resource. |

rsa.correlation.esper.enable-statement-metric | false | boolean | Set true if esper Metrics needs to be enabled. By default it is set to false by Esper. Making it true will allow to capture additional esper-metrics but note that activating Esper metrics may cause performance impacts |

rsa.correlation.esper.metrics-memory-back-off | 1 | seconds | How long to back off for after reaching a metrics timeout error. |

rsa.correlation.esper.metrics-num-threads | 16 | integer | The number of threads to use for calculating metrics, per engine. Each thread gets metrics for a single rule. |

rsa.correlation.esper.metrics-timeout | 15 | seconds | How long we should allow for retrieval of metrics for a single rule. Counting memory for rules that are using a lot of memory takes a lot of time and cpu that blocks processing of new events. <p> In the case of a timeout, we will capture the error for reporting purposes. |

rsa.correlation.esper.snapshot-dir | string | RSAPersist snapshot directory. | |

rsa.correlation.esper.snapshot-frequency | 5 | seconds | Taking snapshot periodic duration. |

rsa.correlation.esper.use-external-clock | true | boolean | {@code true} for Esper to process CurrentTimeEvent. |

### FileMapProperties

Name | Default value | Type | Description |
---|---|---|---|

rsa.correlation.filemap.file-backed-dir | string | Location on local disk where to store the paged files. | |

rsa.correlation.filemap.page-file-size | 4096 | integer | The size of each paged file stored on local disk. |

rsa.correlation.filemap.total-memory-size | 0 | integer | Total number of bytes of data that are kept in memory. |

### GeoIpProperties

Name | Default value | Type | Description |
---|---|---|---|

rsa.correlation.geoip.city-resource | string | The City database Resource. | |

rsa.correlation.geoip.local-dir | string | Local store folder where to store the database files. | |

rsa.correlation.geoip.org-resource | string | The Organization database Resource. |

### HealthProperties

Name | Default value | Type | Description |
---|---|---|---|

rsa.correlation.health.check-every | 15 | seconds | The |

rsa.correlation.health.fatal-percentage | 90 | integer | The percentage of memory consumption at which it is considered to be in fatal state |

rsa.correlation.health.health-check-id | memory-check | string | The name which is required to set the HealthCheck |

rsa.correlation.health.warning-percentage | 80 | integer | The percentage of memory consumption at which it is considered to be Warning in Warning state |

### MetricProperties

Name | Default value | Type | Description |
---|---|---|---|

rsa.correlation.metric.collectd-max-value-length | 64 | integer | CollectD field value maximum length. |

### ServiceProperties

Name | Default value | Type | Description |
---|---|---|---|

rsa.correlation.re-deployment-cycle | 0 | integer | The current re-deployment cycle. |

rsa.correlation.re-deployment-required | 0 | integer | The number of re-deployment required. |

rsa.correlation.send-re-deployment-notification | true | boolean | {@code true} to notify SA to re-deploy all active {@code Engine}s. |

rsa.correlation.version | string | Project version. | |

rsa.correlation.wait-before-checking-for-success-re-deployment | 1 | seconds | Wait duration before checking to see if SA response re-deployment is successful. |

### RuleProperties

Name | Default value | Type | Description |
---|---|---|---|

rsa.correlation.rule.fired-rules-heart-beat | integer | Number of permits for a duration. | |

rsa.correlation.rule.fired-rules-heart-beat-every | 1 | seconds | A length of time to apply the permits. Minimum of 1 second and max at 1 day. |

rsa.correlation.rule.log-fired-rules | false | boolean | Should we log the rules as soon as it fired with the relevant events. |

rsa.correlation.rule.max-constituent-events | 0 | integer | Maximum number of Events in the List sent to AlertManager. |

### StatsProperties

Name | Default value | Type | Description |
---|---|---|---|

rsa.correlation.stats.days-to-keep-stats-file | 3 | integer |

### StreamProperties

Name | Default value | Type | Description |
---|---|---|---|

rsa.correlation.stream.aggregation-queue-size | 10 | integer | Size of the queue that holds aggregation Events staging them before sending them to Rule Engine. |

rsa.correlation.stream.batch-size | 0 | integer | Controls how many records do we ask for at a time. |

rsa.correlation.stream.big-integer-to-long | true | boolean | Choose if we want to convert {@code BigInteger} {@code Meta} value to {@code Long} like sessionid. |

rsa.correlation.stream.buffer-size | 0 | integer | Controls the number of records the stream can keep outstanding. |

rsa.correlation.stream.check-supply | false | boolean | Should this source check for supply |

rsa.correlation.stream.collection-duration-in-minutes | 0 | integer | For query based aggregation this parameter determines if it should operate on continuous mode or finite mode. By Default it is 0 which means continuous mode. CollectionDuration should be specified in minutes. |

rsa.correlation.stream.compression | 0 | integer | The number of bytes in each message before it will be compressed. Zero is no compression at all. range:0 to 131071 |

rsa.correlation.stream.compression-level | 0 | integer | The level of compression. 1 is fastest and 9 is the best compression. A value of zero means pick the best balance between speed and compression. range:0 to 9 |

rsa.correlation.stream.connection-time-out | 0 | integer | Override connection timeout in sources. Only if greater than 0. |

rsa.correlation.stream.default-multi-valued | list | New multi-valued fields for this version. These fields should all be migrated to multi-valued with Rule changes. A warning message will be logged if multi-valued does NOT contain all of these fields. | |

rsa.correlation.stream.default-single-valued | list | New single-valued fields for this version. These fields should all be migrated to single-valued with Rule changes. A warning message will be logged if single-valued does NOT contain all of these fields. | |

rsa.correlation.stream.dots-to-underscores | true | boolean | Choose if we want to translate "user.dst" to "user_dst". |

rsa.correlation.stream.event-batch-size | 1000 | integer | Number of Events in a batch store in the queue. |

rsa.correlation.stream.event-enrichment-queue-size | 10 | integer | Size of the queue to be used to enrich the {@code Event} before offer to {@code Rule} {@code Engine}. |

rsa.correlation.stream.event-enrichment-thread-pool-size | 8 | integer | Concurrent Event enrichment Thread pool size. |

rsa.correlation.stream.event-polling-timeout-in-milli-seconds | 1000 | long | Event polling from queue timeout in milliseconds. |

rsa.correlation.stream.event-source-id | false | boolean | Controls whether we need to add the event source identifier (ESA compatibility) |

rsa.correlation.stream.filter | string | Filter to be sent across to the source | |

rsa.correlation.stream.idle-retry-interval | 0 | integer | Controls how long to wait (in milli-seconds) before retrying an idle source. |

rsa.correlation.stream.lag-time | 15 | seconds | Lag time is the expected time an event takes to pass through the different levels of capture/parse etc and become available to query in the concentrator. |

rsa.correlation.stream.lowercase | list | Choose if the fields to translate to lower case | |

rsa.correlation.stream.max-sessions | 0 | integer | Controls the number of sessions in a batch. The more you filter out ESA data source traffic, the lower you should set this value. |

rsa.correlation.stream.mechanism | string | NextGen core devices send and receive type 'AGGREGATION' or 'QUERY'. | |

rsa.correlation.stream.minutes-back | 5 | integer | Controls how far back in time should we go for a fresh start. |

rsa.correlation.stream.multi-valued | list | Choose the fields considered as multi-valued. | |

rsa.correlation.stream.multi-valued-as-array | false | boolean | {@code true} to convert multi-valued Collection to Array. |

rsa.correlation.stream.no-system-meta | false | boolean | Controls the addition of system meta to records. |

rsa.correlation.stream.pre-fetch | 0 | integer | Controls how many batches to pull and keep ready in anticipation of demand |

rsa.correlation.stream.query | string | Query Based RecordStream select clause for all sources. | |

rsa.correlation.stream.reader-buffer-size | 1048576 | integer | |

rsa.correlation.stream.retrieve-record-stream-stats-every | 2 | seconds | How often should the {@code RecordStream} status be retrieved. |

rsa.correlation.stream.retrieve-schema-every | 5 | seconds | A length of time to apply the permits. Minimum of 1 second and max at 1 day. |

rsa.correlation.stream.retrieve-schema-frequency | 1 | integer | Number of permits for a duration. |

rsa.correlation.stream.retry-timeout | 0 | integer | Controls how long to wait (in milli-seconds) before retrying a failed source. |

rsa.correlation.stream.save-position-every | 1 | seconds | A length of time to apply the permits. Minimum of 1 second and max at 1 day. |

rsa.correlation.stream.save-position-frequency | 1 | integer | Number of permits for a duration. |

rsa.correlation.stream.single-valued | list | Uses by Rules deployment process to ensure that these fields are not be treated as multi-valued. | |

rsa.correlation.stream.socket-timeout | 0 | integer | Override socket timeout in sources. Only if greater than 0. |

rsa.correlation.stream.source-poll-interval | 0 | integer | Controls the parameters passed to {@code RecordSourceSubscription}. |

rsa.correlation.stream.start-session-id | 0 | long | Override StartSession Id in sources for debug purposes. Only if greater than 0. |

rsa.correlation.stream.tcp-no-delay | false | boolean | |

rsa.correlation.stream.thread-pool-size | 0 | integer | Controls the size of the thread pool used the stream executor. Default to 100. |

rsa.correlation.stream.time-batch-in-seconds | 0 | integer | Determines the batch size for the query based aggregation in seconds. By default it will be a 60 second window. This for now will not be configurable for user. This is because concentrator operates most efficiently when the time window is a minute. |

rsa.correlation.stream.time-measured-in-seconds | true | boolean | {@code true} if time meta is measured in seconds in the event. |

rsa.correlation.stream.time-meta-field | time | string | Decides what field should be used for time. |

rsa.correlation.stream.time-order-by-field | string | Controls the name of the field that we consider the timestamp. This must be a long value. | |

rsa.correlation.stream.time-order-hold-interval | 0 | integer | To order records from multiple sources, we need to allow some "hold" time for sessions within a time window to arrive from all sources. This parameter specifies the hold interval (in milli-seconds) |

rsa.correlation.stream.time-order-no-inflow-give-up-interval | 0 | integer | Controls the interval (in milliseconds) after which we take a "quiet" source out of the equation to allow progress on a time ordered stream. The default value is 0, which implies that we wait forever for events to arrive. |

rsa.correlation.stream.time-order-offline-give-up-interval | 0 | integer | Controls the interval (in milli-seconds) after which we take an offline source out of the equation to allow progress on a time ordered stream. The default value is 0, which implies that we wait forever. This parameter does not affect the re-connection retries; those which are performed in all cases. |

rsa.correlation.stream.time-ordered | false | boolean | Enables source time synchronization and ordering. |

rsa.correlation.stream.use-direct-buffer | false | boolean | |

rsa.correlation.stream.use-event-time-for-esper | false | boolean | {@code true} to use the timeMetaField in the Event for Esper CurrentTimeEvent. |

### MigrationProperties

Name | Default value | Type | Description |
---|---|---|---|

rsa.migration.home-data-path | /var/netwitness/esa | string | The location of ESA home directory |

### RecordStreamMetrics

Name | Default value | Type | Description |
---|---|---|---|

rsa.records.stream.version | string |