Endpoint-server Configuration

Document created by RSA Information Design and Development Employee on Feb 3, 2020
Version 1Show Document
  • View in full screen mode
 

CertificateStatusProperties

                                               
NameDefault valueTypeDescription

rsa.endpoint.certificate.status.ignored-notifications-retry-interval

60

seconds

Notifications are ignored once posting file status fails. These ignored notifications are queried periodically. The property defines the interval.

rsa.endpoint.certificate.status.new-files-query-for-automatic-status-interval

300

seconds

Time (in seconds) between subsequent querying of new files for automatic assignment of file status to be send to Contexthub server

rsa.endpoint.certificate.status.query-batch-size

3000

integer

* Max number of thumbprints those should be fetched from repository in a single query

rsa.endpoint.certificate.status.request-batch-size

500

integer

* Max number of thumbprints those should be part of the request sent to Contexthub-Server

rsa.endpoint.certificate.status.request-interval

300

seconds

Time (in seconds) between querying for any new Certificates seen in endpoint server Defaulting to 5 minutes

AgentCommandProperties

                                   
NameDefault valueTypeDescription

rsa.endpoint.command.cancel-interval

24

seconds

Interval to cancel expired commands

rsa.endpoint.command.expiration-count

5

integer

Indicates the maximum number of times command would be resent to agent(s)

rsa.endpoint.command.expiration-time

20

seconds

Indicates the duration until when command will not be resent to agent(s)

DataRetentionProperties

                                                                 
NameDefault valueTypeDescription

rsa.endpoint.config.data-retention.enabled

true

boolean

Indicates if all machine data older than configured threshold {@code #thresholdInDays}, is to be deleted. This is enabled by default.

rsa.endpoint.config.data-retention.initial-rollover-delay

1

seconds

Time to delay before the first execution of the storage size based retention job

rsa.endpoint.config.data-retention.recurrence-interval

0 0 0 * * *

string

Indicates the time and frequency to run the deletion task. Configured to run everyday at 12:00:00 AM, by default.

rsa.endpoint.config.data-retention.rollover-after

80

double

The threshold (in %) indicating the storage size used, after which data should be cleaned up from the database

rsa.endpoint.config.data-retention.rollover-chunk-size

10

double

The chuck of data that should be cleanup up from the database. For example, 10 indicates 10% of the data should be cleaned up. Used for storage size based data retention job.

rsa.endpoint.config.data-retention.rollover-delay

10

seconds

Delay between invocations of the storage size based retention job

rsa.endpoint.config.data-retention.size-based-rollover-enabled

true

boolean

Indicates if storage size based retention job is enabled. This involves clearing up the disk, if it reaches a certain threshold {@see #rolloverAfter}. This is enabled by default.

rsa.endpoint.config.data-retention.threshold-in-days

30

integer

The retention threshold specified (in days)

DownloadedDataRetentionProperties

                                   
NameDefault valueTypeDescription

rsa.endpoint.config.downloaded-data-retention.enabled

true

boolean

Indicates retention active status. This is enabled by default.

rsa.endpoint.config.downloaded-data-retention.recurrence-interval

0 0 0 * * *

string

Indicates the time and frequency to run the deletion task. Configured to run everyday at 00:00:00 AM, by default.

rsa.endpoint.config.downloaded-data-retention.threshold-in-days

90

integer

The retention threshold specified (in days)

InactiveMachineRetentionProperties

                                   
NameDefault valueTypeDescription

rsa.endpoint.config.inactive-machine-retention.enabled

true

boolean

Indicates if all machines inactive for more than the configured threshold {@code #thresholdInDays}, is to be deleted. This is enabled by default.

rsa.endpoint.config.inactive-machine-retention.recurrence-interval

0 0 1 * * *

string

Indicates the time and frequency to run the deletion task. Configured to run everyday at 01:00:00 AM, by default.

rsa.endpoint.config.inactive-machine-retention.threshold-in-days

90

integer

The retention threshold specified (in days)

DataStoreHealthProperties

                             
NameDefault valueTypeDescription

rsa.endpoint.data-store-thresholds.fatal-percent

95

integer

 

rsa.endpoint.data-store-thresholds.warning-percent

85

integer

 

DataStoreProperties

                             
NameDefault valueTypeDescription

rsa.endpoint.data.application.compression-factor

2.5

double

Indicates the compression ratio used by mongo while writing to the filesystem

rsa.endpoint.data.application.db-path

 

string

Specify the path/directory allocated for the database files. Assumed to be /var/netwitness/mongo by default

RepositoryProperties

                       
NameDefault valueTypeDescription

rsa.endpoint.datastore.index-creation-enabled

true

boolean

Determines whether the indexes should be be created on the service startup

FileDownloadProperties

                                                                             
NameDefault valueTypeDescription

rsa.endpoint.download.agent-beacon-threshold

5

seconds

Indicates the agent beacon time considered to (re)attempt file download

rsa.endpoint.download.base-path

 

string

Path in Endpoint server where downloaded files are stored Assumed to be /var/netwitness/endpoint-server by default

rsa.endpoint.download.command-expiration-time

20

seconds

Indicates the expiration time for automatic file download commands, after which command would be cancelled

rsa.endpoint.download.disk-check-interval

5

seconds

Indicates the interval to check the health of disk to which files will be downloaded

rsa.endpoint.download.file-processor-batch-size

100

integer

Max number of concurrent processing requests that should be handled by server

rsa.endpoint.download.max-attempts

50

integer

Maximum number of agents that will be tried against in order to get the file downloaded to server, following which the next server takes over (if any)

rsa.endpoint.download.max-pending-commands

50

integer

Defines the maximum cap of unprocessed file download commands that can exist for a given agent, i.e. although {@link AgentCommandRequestType#Manual} commands can still be created, it is used to restrict addition of {@link AgentCommandRequestType#Automatic} file download commands

rsa.endpoint.download.periodic-delay

1

seconds

Interval between successive lookups and attempts made by the server to create/issue file download commands

rsa.endpoint.download.threads

2

integer

Max number of request handler threads

rsa.endpoint.download.update-interval

300

seconds

Time (in seconds) interval in which downloaded status of newly added files is updated Defaulting to 5 minutes

ExecutionRetryProperties

                                   
NameDefault valueTypeDescription

rsa.endpoint.execution.retry.file-persistence-delay

50

seconds

Indicates the wait time for retrying file data persistence

rsa.endpoint.execution.retry.max-delay

2

seconds

Indicates the maximum delay to be used between retries

rsa.endpoint.execution.retry.min-delay

30

seconds

Indicates the minimum delay to be used between retries

ExportProperties

                                               
NameDefault valueTypeDescription

rsa.endpoint.export.directory-context

ExportDirectory

string

Represents the directory context (reference name) for the files to be exported

rsa.endpoint.export.file-cleanup-interval

1800

seconds

Schedule interval for cleanup of files/directories

rsa.endpoint.export.file-expiration-time

3600

seconds

Expiration time for the file(s) created

rsa.endpoint.export.max-exportable-entries

100000

integer

Maximum entries that can be exported into csv from the database, for files

rsa.endpoint.export.path-prefix

temp/export

string

Represents the path prefix for files to be exported

FileDownloadDiskHealthProperties

                             
NameDefault valueTypeDescription

rsa.endpoint.file-download-disk-thresholds.fatal-percent

70

integer

 

rsa.endpoint.file-download-disk-thresholds.warning-percent

60

integer

 

FileCacheProperties

                             
NameDefault valueTypeDescription

rsa.endpoint.file.cache.expiration-time

1800

seconds

Expiration threshold, since last access of item(s)

rsa.endpoint.file.cache.size

100000

long

Maximum items in the cache

FileReputationStatusProperties

                                                     
NameDefault valueTypeDescription

rsa.endpoint.file.reputation.ignored-notifications-query-interval

300

seconds

Time (in seconds) between subsequent check for ignored notifications querying

rsa.endpoint.file.reputation.known-signed-providers

microsoft,apple

string

List of signature providers for which we don’t need to compute the reputation. This is only accounted when filterOutKnowFiles = true/

rsa.endpoint.file.reputation.query-batch-size

2000

integer

* Max number of hashes those should be fetched from repository in a single query

rsa.endpoint.file.reputation.request-batch-size

500

integer

* Max number of hashes those should be part of the request sent to Contexthub-Server

rsa.endpoint.file.reputation.request-interval

10

seconds

Time (in seconds) between subsequent requests to be send to Reputation-Server

rsa.endpoint.file.reputation.skip-known-good-files

true

boolean

Should reputation be computed for files from know sources ? This can be files that are signed by known CA’s or maybe what the customer might have configured to be white-listed files

RiskScoreProperties

                             
NameDefault valueTypeDescription

rsa.endpoint.file.score.query-batch-size

2000

integer

Max number of file/machines to be fetched from repository in a single query

rsa.endpoint.file.score.request-interval

20

seconds

Time (in seconds) between subsequent requests to be sent

FileContextProperties

                             
NameDefault valueTypeDescription

rsa.endpoint.file.search.timeout

30

seconds

File context keyword search operation time out in seconds

rsa.endpoint.file.search.total-count

100

integer

Max number of results that will be returned for a/any snapshot response

FileStatusProperties

                                         
NameDefault valueTypeDescription

rsa.endpoint.file.status.ignored-notifications-query-interval

300

seconds

Time (in seconds) between subsequent check for ignored notifications querying

rsa.endpoint.file.status.query-batch-size

3000

integer

* Max number of hashes those should be fetched from repository in a single query

rsa.endpoint.file.status.request-batch-size

500

integer

* Max number of hashes those should be part of the request sent to Contexthub-Server

rsa.endpoint.file.status.request-interval

10

seconds

Time (in seconds) between subsequent requests to be send to Reputation-Server

GroupPolicyProperties

                                   
NameDefault valueTypeDescription

rsa.endpoint.group-policy.bulk-write-count

1000

integer

Number of items to be written as part of a batch/bulk write operation performed, to assign/update group-policy to machines present in the deployment

rsa.endpoint.group-policy.initial-sync-delay

20

seconds

Time to wait for the initial group-policy details to be synced

rsa.endpoint.group-policy.periodic-evaluation-delay

30

seconds

Interval between successive evaluations performed (if required), to assign/update group-policy to machines present in the deployment

MachineFileProperties

                                                     
NameDefault valueTypeDescription

rsa.endpoint.machine-file.delete-task-delay

300

seconds

Initial delay to clean-up {@link CollectionConstants#MACHINE_FILE_COLLECTION} collection for un-managed agents and decrement host count

rsa.endpoint.machine-file.fetch-limit

10

integer

Number of documents to be fetched from {@link CollectionConstants#MACHINE_FILE_STAGE_COLLECTION} collection amd merge to the {@link CollectionConstants#MACHINE_FILE_COLLECTION} collection

rsa.endpoint.machine-file.periodic-merge-delay

30

seconds

Interval between successive merging of {@link CollectionConstants#MACHINE_FILE_STAGE_COLLECTION} collection to {@link CollectionConstants#MACHINE_FILE_COLLECTION} collection

rsa.endpoint.machine-file.refresh-time

86400

seconds

Time interval to refresh the files present in a machine. The min value is set to 8h and max value is 48h.

rsa.endpoint.machine-file.refresh-time-delay

900

seconds

This is the time interval to check if agent files needs to be refreshed and create command for the agent if so.

rsa.endpoint.machine-file.staged-machine-file-deletion-delay

60

seconds

Delay between cleaning up of machine file data from {@link CollectionConstants#MACHINE_FILE_STAGE_COLLECTION} collection

MachineServiceProperties

                                   
NameDefault valueTypeDescription

rsa.endpoint.machine.fetched-machines-limit

100

integer

The number of machine infos fetched for a given checksum. This is used to fetch the top 'n' risky machine-infos for a given file.

rsa.endpoint.machine.search-query-timeout

10

seconds

Max timeout for machine detail to query to complete in milliseconds

rsa.endpoint.machine.status-persistence-interval

30

seconds

Interval in seconds in which machine/agent status will be persisted to db. Since it is a costly operation higher value is preferred and more higher the value is more inaccuracy will be in status related db queries

MachineFileScoreConfigurationProperties

                             
NameDefault valueTypeDescription

rsa.endpoint.machine.file.score.limit-of-checksums-in-batch

500

integer

 

rsa.endpoint.machine.file.score.min-delay-for-refresh-seconds

120

seconds

 

MetaForwardProperties

                                                                             
NameDefault valueTypeDescription

rsa.endpoint.meta.enabled

false

boolean

Enable/Disable Meta integration

rsa.endpoint.meta.ld-buffer-check-enabled

true

boolean

Configuration option to disable the throttling on Log decoder buffer availability.

rsa.endpoint.meta.ld-buffer-limit-percentage

75

integer

Pool.packet.capture / pool.packet.page percentage at which we need to throttle.

rsa.endpoint.meta.logdecoder-host

 

string

Log decoder Ip to which metas are to be posted

rsa.endpoint.meta.logdecoder-port

0

integer

Log decoder Port to which metas are to be posted

rsa.endpoint.meta.logdecoder-rest-password

 

string

Password to access the logdecoder rest port

rsa.endpoint.meta.logdecoder-rest-port

0

integer

Log decoder REST Port to which metas are to be posted. This port number is used to query the available buffer before sending the meta.

rsa.endpoint.meta.logdecoder-rest-username

 

string

Username to access the logdecoder rest port

rsa.endpoint.meta.protobuf-ssl-enabled

false

boolean

SSL or Non SSL communication

rsa.endpoint.meta.rest-ssl-enabled

false

boolean

REST SSL or Non REST SSL communication

PackagerProperties

                                   
NameDefault valueTypeDescription

rsa.endpoint.packager.agent-cert-name

client.p12

string

 

rsa.endpoint.packager.beacon-interval

600

seconds

 

rsa.endpoint.packager.packager-dir

/usr/lib/netwitness/endpoint-agents

string

 

MachineDataHandlerProperties

                                               
NameDefault valueTypeDescription

rsa.endpoint.queue.file-properties-drain-at-close

false

boolean

Optionally drain the queued files data to disk when the service is shutdown normally

rsa.endpoint.queue.file-size

100

integer

Max number of concurrent data requests that should be handled by server for processing file data

rsa.endpoint.queue.file-threads

20

integer

Max number of file persistence threads

rsa.endpoint.queue.size

100

integer

Max number of concurrent data requests that should be handled by server

rsa.endpoint.queue.threads

10

integer

Max number of request handler threads

QueueFileSystemPersistenceProperties

                             
NameDefault valueTypeDescription

rsa.endpoint.queue.file.directory-context

dataDirectory

string

Represents the directory context (reference name) for the files to be persisted from file queues

rsa.endpoint.queue.file.path-prefix

temp/queue/files

string

Represents the path prefix for files to be persisted from Files queues

RelayCommunicationProperties

                                                                             
NameDefault valueTypeDescription

rsa.endpoint.relay.communication.
connect-timeout

30

seconds

Common connect timeout for all connections.

rsa.endpoint.relay.communication.
initial-delay

30

seconds

Time to wait before attempting to connect to relay server

rsa.endpoint.relay.communication.
max-connections

100

integer

Maximum number of connections allowed to nchan from relay server

rsa.endpoint.relay.communication.
nchan-base-url

https://localhost:7056

string

 

rsa.endpoint.relay.communication.
publish-channel

/agent/publish

string

 

rsa.endpoint.relay.communication.
request-timeout

30

seconds

Common request timeout for all connections.

rsa.endpoint.relay.communication.
retry-interval

10

seconds

Delay between connection attempts

rsa.endpoint.relay.communication.
subscribe-channel

/endpoint_server/subscribe

string

 

rsa.endpoint.relay.communication.
subscribe-request-timeout

5

seconds

0s is infinite time.

rsa.endpoint.relay.
communication.thread-pool-size

100

integer

 

RelayInstallerProperties

                                         
NameDefault valueTypeDescription

rsa.endpoint.relay.installer.
cert-name

relay-server-cert.p12

string

Relay-server certificate file name

rsa.endpoint.relay.installer.
dependency-dir

/var/netwitness/endpoint-server/relay

string

Directory where relay-server dependencies will be downloaded. Non root user must have read, write access.

rsa.endpoint.relay.installer.
download-on-restart

true

boolean

Flag to decide whether to delete local copy of relay-server dependencies and download from configured yum repo on every endpoint server restart. It might take sometime for the downloading to complete, during which user will not be able to download relay-server installer.

rsa.endpoint.relay.installer.
init-delay

20

seconds

Delay for Background task which will download relay-server dependencies.

RelayMetricsProperties

                             
NameDefault valueTypeDescription

rsa.endpoint.relay.metrics.periodic-evaluation-delay

300

seconds

Time interval to evaluate if any relay-server config was modified and update the metrics if required

rsa.endpoint.relay.metrics.refresh-time

300

seconds

Time interval to refresh the metrics from relay-server server

SslContextProperties

                                   
NameDefault valueTypeDescription

rsa.endpoint.ssl.cleanup-schedule

0 0 1 * * *

string

Invalidated ssl sessions cleanup cron schedule

rsa.endpoint.ssl.ssl-session-cache-size

0

integer

Max number of sessions to be kept in ssl session cache

rsa.endpoint.ssl.ssl-session-timeout

0

seconds

Max time an SSL session can be reused

ThrottlingConfigurationProperties

                             
NameDefault valueTypeDescription

rsa.endpoint.throttling.enabled

true

boolean

 

rsa.endpoint.throttling.max

70

integer

 

UdpProperties

                                         
NameDefault valueTypeDescription

rsa.transport.udp.enabled

true

boolean

Boolean to indicate if server can consume Udp packet

rsa.transport.udp.port

0

integer

UDP port

rsa.transport.udp.size

5000

integer

Max number of concurrent data requests that should be handled by server

rsa.transport.udp.threads

20

integer

Max number of request handler threads

You are here
Table of Contents > Endpoint-server Configuration

Attachments

    Outcomes