Correlation-server Configuration

Document created by RSA Information Design and Development on Jan 31, 2020
Version 1Show Document
  • View in full screen mode
 

AlertProperties

                                                                                               
NameDefault valueTypeDescription

rsa.correlation.alert.keep-alive-time

0

long

The keepAlive time for threads

rsa.correlation.alert.max-alerts-queue-size

10000

integer

The max rabbitmq alerter queue size

rsa.correlation.alert.num-threads

3

integer

No. of threads to process

rsa.correlation.alert.respond-enabled

true

boolean

The respond is enabled globally

rsa.correlation.alert.respond-endpoint-severities

 

list

The list of severities which can be consumed by respond and are related to app-rules

rsa.correlation.alert.retry-delay

1

seconds

retry time for each interval

rsa.correlation.alert.risk-score-severities

 

list

The list in severities which can be consumed by risk score and are related to app-rules

rsa.correlation.alert.sleep-time

1000

long

The max time to sleep in thread

rsa.correlation.alert.statement-name-max-length

128

integer

The maximum length of the entire statement @Name

rsa.correlation.alert.statement-name-place-holder-max-length

64

integer

The maximum length for each place holder value in the statement @Name

rsa.correlation.alert.timeout-retry-policy

3650

seconds

Retry time in seconds for total timeout

rsa.correlation.alert.total-threads

10

integer

The total number of threads in the pool

rsa.correlation.alert.transient-enabled

true

boolean

The transient is enabled globally. Currently used only for key-value rule and not in basic rule

ContextHubProperties

                                         
NameDefault valueTypeDescription

rsa.correlation.contexthub.data-expired-in-seconds

5

integer

The duration of time before the ContextHub content is too old and need to be re-retrieved.

rsa.correlation.contexthub.file-backed-dir

 

string

Location on local disk where to store the paged files.

rsa.correlation.contexthub.mapped-memory-size

0

integer

Total number of bytes of data that are kept in memory.

rsa.correlation.contexthub.page-file-size

4096

integer

The size of each paged file stored on local disk.

DebugProperties

                                   
NameDefault valueTypeDescription

rsa.correlation.debug.actions

 

string

 

rsa.correlation.debug.enabled

false

boolean

 

rsa.correlation.debug.resource-ids

 

string

 

EndpointProperties

                             
NameDefault valueTypeDescription

rsa.correlation.endpoint.app-rules-paths

 

list

{@link List} of Endpoint App Rules candidate paths of the resource file.

rsa.correlation.endpoint.enabled

true

boolean

{@code true} if Endpoint Rules processing is enabled.

EngineProperties

                                         
NameDefault valueTypeDescription

rsa.correlation.engine.auto-start

true

boolean

Determines if all {@link Engine} should start on service deployed.

rsa.correlation.engine.concurrent-deployment

10

integer

Number of asynchronous Engine deployment Tasks.

rsa.correlation.engine.send-event-heart-beat-frequency

1

seconds

Log send Event heartbeat frequency.

rsa.correlation.engine.startup-error-retry-interval

10

seconds

Retry interval if error occurs during startup.

EsperProperties

                                                           
NameDefault valueTypeDescription

rsa.correlation.esper.background-metrics-enabled

true

boolean

Set to {@code false} to get Esper metrics on demand.

rsa.correlation.esper.background-metrics-frequency

5

seconds

How often should the background Esper metrics process should be performed.

rsa.correlation.esper.config-resource

classpath:esper/esper-config.xml

string

Esper Configuration xml Resource.

rsa.correlation.esper.enable-statement-metric

false

boolean

Set true if esper Metrics needs to be enabled. By default it is set to false by Esper. Making it true will allow to capture additional esper-metrics but note that activating Esper metrics may cause performance impacts

rsa.correlation.esper.snapshot-dir

 

string

RSAPersist snapshot directory.

rsa.correlation.esper.snapshot-frequency

5

seconds

Taking snapshot periodic duration.

rsa.correlation.esper.use-external-clock

true

boolean

{@code true} for Esper to process CurrentTimeEvent.

FileMapProperties

                                   
NameDefault valueTypeDescription

rsa.correlation.filemap.file-backed-dir

 

string

Location on local disk where to store the paged files.

rsa.correlation.filemap.page-file-size

4096

integer

The size of each paged file stored on local disk.

rsa.correlation.filemap.total-memory-size

0

integer

Total number of bytes of data that are kept in memory.

GeoIpProperties

                                   
NameDefault valueTypeDescription

rsa.correlation.geoip.city-resource

 

string

The City database Resource.

rsa.correlation.geoip.local-dir

 

string

Local store folder where to store the database files.

rsa.correlation.geoip.org-resource

 

string

The Organization database Resource.

HealthProperties

                                         
NameDefault valueTypeDescription

rsa.correlation.health.check-every

15

seconds

The

rsa.correlation.health.fatal-percentage

90

integer

The percentage of memory consumption at which it is considered to be in fatal state

rsa.correlation.health.health-check-id

memory-check

string

The name which is required to set the HealthCheck

rsa.correlation.health.warning-percentage

80

integer

The percentage of memory consumption at which it is considered to be Warning in Warning state

MetricProperties

                       
NameDefault valueTypeDescription

rsa.correlation.metric.collectd-max-value-length

64

integer

CollectD field value maximum length.

RuleProperties

                                         
NameDefault valueTypeDescription

rsa.correlation.rule.fired-rules-heart-beat

 

integer

Number of permits for a duration.

rsa.correlation.rule.fired-rules-heart-beat-every

1

seconds

A length of time to apply the permits. Minimum of 1 second and max at 1 day.

rsa.correlation.rule.log-fired-rules

false

boolean

Should we log the rules as soon as it fired with the relevant events.

rsa.correlation.rule.max-constituent-events

0

integer

Maximum number of Events in the List sent to AlertManager.

StatsProperties

                      
NameDefault valueTypeDescription

rsa.correlation.stats.days-to-keep-stats-file

3

integer

StreamProperties

                                                                                                                                                                                                                                                                                               
NameDefault valueTypeDescription

rsa.correlation.stream.batch-size

0

integer

Controls how many records do we ask for at a time.

rsa.correlation.stream.buffer-size

0

integer

Controls the number of records the stream can keep outstanding.

rsa.correlation.stream.check-supply

false

boolean

Should this source check for supply

rsa.correlation.stream.collection-duration-in-minutes

0

integer

For query based aggregation this parameter determines if it should operate on continuous mode or finite mode. By Default it is 0 which means continuous mode. CollectionDuration should be specified in minutes.

rsa.correlation.stream.compression

0

integer

The number of bytes in each message before it will be compressed. Zero is no compression at all. range:0 to 131071

rsa.correlation.stream.compression-level

0

integer

The level of compression. 1 is fastest and 9 is the best compression. A value of zero means pick the best balance between speed and compression. range:0 to 9

rsa.correlation.stream.connection-time-out

0

integer

Override connection timeout in sources. Only if greater than 0.

rsa.correlation.stream.default-multi-valued

 

list

New multi-valued fields for this version. These fields should all be migrated to multi-valued with Rule changes. A warning message will be logged if multi-valued does NOT contain all of these fields.

rsa.correlation.stream.default-single-valued

 

list

New single-valued fields for this version. These fields should all be migrated to single-valued with Rule changes. A warning message will be logged if single-valued does NOT contain all of these fields.

rsa.correlation.stream.dots-to-underscores

true

boolean

Choose if we want to translate "user.dst" to "user_dst".

rsa.correlation.stream.event-source-id

false

boolean

Controls whether we need to add the event source identifier (ESA compatibility)

rsa.correlation.stream.filter

 

string

Filter to be sent across to the source

rsa.correlation.stream.idle-retry-interval

0

integer

Controls how long to wait (in milli-seconds) before retrying an idle source.

rsa.correlation.stream.lag-time

15

seconds

Lag time is the expected time an event takes to pass through the different levels of capture/parse etc and become available to query in the concentrator.

rsa.correlation.stream.lowercase

 

list

Choose if the fields to translate to lower case

rsa.correlation.stream.max-sessions

0

integer

Controls the number of sessions in a batch

rsa.correlation.stream.mechanism

 

string

NextGen core devices send and receive type 'AGGREGATION' or 'QUERY'.

rsa.correlation.stream.minutes-back

5

integer

Controls how far back in time should we go for a fresh start.

rsa.correlation.stream.multi-valued

 

list

Choose the fields considered as multi-valued.

rsa.correlation.stream.multi-valued-as-array

false

boolean

{@code true} to convert multi-valued Collection to Array.

rsa.correlation.stream.no-system-meta

false

boolean

Controls the addition of system meta to records.

rsa.correlation.stream.pre-fetch

0

integer

Controls how many batches to pull and keep ready in anticipation of demand

rsa.correlation.stream.query

 

string

Query Based RecordStream select clause for all sources.

rsa.correlation.stream.reader-buffer-size

1048576

integer

 

rsa.correlation.stream.retrieve-record-stream-stats-every

2

seconds

How often should the {@code RecordStream} status be retrieved.

rsa.correlation.stream.retrieve-schema-every

5

seconds

A length of time to apply the permits. Minimum of 1 second and max at 1 day.

rsa.correlation.stream.retrieve-schema-frequency

1

integer

Number of permits for a duration.

rsa.correlation.stream.retry-timeout

0

integer

Controls how long to wait (in milli-seconds) before retrying a failed source.

rsa.correlation.stream.save-position-every

1

seconds

A length of time to apply the permits. Minimum of 1 second and max at 1 day.

rsa.correlation.stream.save-position-frequency

1

integer

Number of permits for a duration.

rsa.correlation.stream.single-valued

 

list

Uses by Rules deployment process to ensure that these fields are not be treated as multi-valued.

rsa.correlation.stream.socket-timeout

0

integer

Override socket timeout in sources. Only if greater than 0.

rsa.correlation.stream.source-poll-interval

0

integer

Controls the parameters passed to {@code RecordSourceSubscription}.

rsa.correlation.stream.start-session-id

0

long

Override StartSession Id in sources for debug purposes. Only if greater than 0.

rsa.correlation.stream.tcp-no-delay

false

boolean

 

rsa.correlation.stream.thread-pool-size

0

integer

Controls the size of the thread pool used the stream executor. Default to 100.

rsa.correlation.stream.time-batch-in-seconds

0

integer

Determines the batch size for the query based aggregation in seconds. By default it will be a 60 second window. This for now will not be configurable for user. This is because concentrator operates most efficiently when the time window is a minute.

rsa.correlation.stream.time-measured-in-seconds

true

boolean

{@code true} if time meta is measured in seconds in the event.

rsa.correlation.stream.time-meta-field

time

string

Decides what field should be used for time.

rsa.correlation.stream.time-order-by-field

 

string

Controls the name of the field that we consider the timestamp. This must be a long value.

rsa.correlation.stream.time-order-hold-interval

0

integer

To order records from multiple sources, we need to allow some "hold" time for sessions within a time window to arrive from all sources. This parameter specifies the hold interval (in milli-seconds)

rsa.correlation.stream.time-order-no-inflow-give-up-interval

0

integer

Controls the interval (in milliseconds) after which we take a "quiet" source out of the equation to allow progress on a time ordered stream. The default value is 0, which implies that we wait forever for events to arrive.

rsa.correlation.stream.time-order-offline-give-up-interval

0

integer

Controls the interval (in milli-seconds) after which we take an offline source out of the equation to allow progress on a time ordered stream. The default value is 0, which implies that we wait forever. This parameter does not affect the re-connection retries; those which are performed in all cases.

rsa.correlation.stream.time-ordered

false

boolean

Enables source time synchronization and ordering.

rsa.correlation.stream.use-event-time-for-esper

false

boolean

{@code true} to use the timeMetaField in the Event for Esper CurrentTimeEvent.

ServiceProperties

                       
NameDefault valueTypeDescription

rsa.correlation.version

 

string

Project version.

MigrationProperties

                       
NameDefault valueTypeDescription

rsa.migration.home-data-path

/var/netwitness/esa

string

The location of ESA home directory

RecordStreamMetrics

                       
NameDefault valueTypeDescription

rsa.records.stream.version

 

string

 

You are here
Table of Contents > Correlation-server Configuration

Attachments

    Outcomes