Archiver: Step 2. Add Log Decoder as a Data Source to Archiver

Document created by RSA Information Design and Development on Apr 18, 2016
Version 1Show Document
  • View in full screen mode
 
  

This topic provides instructions on how to add a Log Decoder as a data source to Archiver.

Prerequisites

Make sure that you have:

  1. Installed the Security Analytics Archiver host in your network environment.
  2. Installed and configured Log Decoder in your network environment.
  3. Added the Archiver host to Security Analytics and the Archiver service shows as active and licensed.

Archiver Meta Settings Considerations

To maximize retention time, the meta items and index of the Archiver have been reduced (when compared to the Concentrator) to support common reporting needs. This means that, by default, you may not be able to run all of the reports you run on the Concentrator on the Archiver. You can view a list of the current meta and index items used by the Archiver in the following locations:

  • Config view > General tab > Aggregate Services panel: The information icon in the Meta Include field shows the current list of meta items for a Log Decoder added as a data source.
  • Explorer view: The /archiver/devices/<logdecoder>/config/options path in the metaInclude field shows the current list of meta items.
  • Config view > Files tab: The index-archiver.xml shows the default index configuration. The index-archiver-custom.xml shows any modifications.

The meta items and index of the Archiver can be customized to support customer specific reporting needs, however this will require additional storage, CPU resources, and Memory resources to support, and may impact retention time. As more meta items are added to the Archiver, the maximum aggregation rate will decrease, and the time to execute reports will increase. 

See (Optional) Configure Meta Filters for Aggregation and (Optional) Add Index Entries for Archiver Reporting for additional details.

Add Log Decoder as a data source to Archiver

  1. In the Security Analytics menu, select Administration > Services.
  2. Select the Archiver service.
  3. In the Actions column, click View > Config.
    The Services Config view of Archiver is displayed.
  4. On the General tab, in the Aggregate Services panel, click .
    The Available Services dialog is displayed.
    AvailServDg.png
  5. Select the Log Decoder service to add as a data source to the Archiver and click OK.
  6. If the Log Decoder is using the trust model, an Add Service dialog is displayed, as shown below:
    AddSrvDataSrc.png
  7. Type the username and password for the Log Decoder, and configure the SSL settings.
  8. Click OK.
    The selected Log Decoder service is listed in the Aggregate Services panel.

(Optional) Configure Meta Filters for Aggregation

Follow this procedure to view and add additional meta items to the Archiver.

Caution: Adding meta or indexes will require additional storage, CPU resources, and Memory resources to support, and may impact retention time. As more meta items are added to the Archiver, the maximum aggregation rate will decrease, and the time to execute reports will increase.

  1. To view the current meta items, in the Aggregate Services panel, select the Log Decoder service and click ic-info.png in the Meta Include field.
    ViewMetaFilters.png
  2. To add additional meta items, select the Log Decoder service and click ic-edit.png.
    EditAggSrvDb.png
  3. In the Edit Aggregate Service dialog, select the meta items to include in the Meta Include list. For example, you may want to consider including ip.srcport, tcp.srcport, udp.srcport, msg, url, query, bytes, alias.host, ip.dst, ip.dstport, ip.src, tcp.dstport, megabytes, time, event.desc, and word. 
  4. Click Save and then click Apply.
  5. See (Optional) Add Index Entries for Archiver Reporting below for information on how to index the additional meta keys.

(Optional) Add Index Entries for Archiver Reporting

Caution: Adding meta or indexes will require additional storage, CPU resources, and Memory resources to support, and may impact retention time. As more meta items are added to the Archiver, the maximum aggregation rate will decrease, and the time to execute reports will increase.

The Archiver’s default index configuration only includes value indexes for these keys: 

  • time
  • decoder source (did)
  • destination user account (user.dst), 
  • alert ID (alert.id)
  • device IP (device.ip)
  • source IP address (ip.src)
  • destination IP address (ip.dst)
  • event description (event.desc)
  • device class (device.class)
  • medium
  • object name (obj.name)
  • word

For information on customizing this list, see Index Customization in the Security Analytics Core Database Tuning Guide.

You are here: Configure Archiver > Step 2. Add Log Decoder as a Data Source to Archiver

Attachments

    Outcomes