IPDB: Services Config View - IPDB Extractor Configuration

Document created by RSA Information Design and Development on May 3, 2016Last modified by RSA Information Design and Development on Sep 1, 2016
Version 3Show Document
  • View in full screen mode
 

This topic describes the General tab configuration parameters for IPDB Extractor service. The General tab for an IPDB Extractor in the Service Config view provides a way to manage service configuration, configure data retrieval, and select the parsers that are applied to the retrieved data.

  1. In the Security Analytics menu, select Administration >Services.
  2. In the Services View, select the IPDB Extractor service.
  3. In the Actions column, click   > View > Config.

    The Service Config view is displayed with the IPDB Extractor Service General tab open.

System Configuration

The System Configuration section manages service configuration for a service. When a service is first added, default values are in effect. You can edit these values to tune performance.

The System Configuration section has these parameters.

                             
ParameterDescription
Compression

The minimum number of bytes that must be transmitted per response before compression. A setting of 0 disables compression. The default value is 0.

A change in value is effective immediately for all subsequent connections.

Port

The port on which the service listens. The default ports are:

  • 50001 for Log Collectors
  • 50002 for Log Decoders
  • 50003 for Brokers
  • 50004 for Decoders
  • 50005 for Concentrators
  • 50007 for other services

The default port for IPDB Extractor Service is 50025.

SSL When enabled (on), the security of data transmission is managed by encrypting information and providing authentication with SSL certificates. The default value is off.
Stat Update Interval

The number of milliseconds between statistic updates on the system. Lower numbers cause more frequent updates and can slow down other processes. The default value is 1000.

A change in value is effective immediately.

Threads

The number of threads in the thread pool to handle incoming requests. A setting of 0 lets the system decide. The default value is 15.

A change takes effect on service restart.

IPDB Extractor Configuration

The IPDB Extractor Configuration panel parameters are used to manage service configuration for the IPDB Extractor. When you add an IPDB Extractor service, the default values are in effect. RSA designed the default values to accommodate most environments and recommends that you do not edit these values because it may adversely affect performance.

Parameters that set up and tune data retrieval include:

  • Extractor Settings
  • Query Settings

Extractor Settings

The following table describes the Extractor Settings.

                                                             
NameConfig Value
Buffer Size (MB)The size (in megabytes) of the data retrieval buffer. Default value is 1. You must restart the IPDB Extractor service after modifications for this value to take effect.
Mapping of storage location to mount pointFor an IPDB with multiple storage locations only. If you have multiple storage locations on an IPDB, you must map them to the corresponding mount points so that the IPDB Extractor can extract data from them. For example: \\1.1.1.1\vol1\nic\lsnode\LSIPDB-LC1~storage1,\\1.1.1.1\vol2\nic\lsnode\LSIPDB-LC1~storage2 You must restart the IPDB Extractor service after modifications for this value to take effect.
Num Of BuffersThe number of data retrieval buffers. Valid values are 1 - 4. Default value is 4 buffers. You must restart the IPDB Extractor service after modifications for this value to take effect.
Num Of Buffers in the poolThe number of buffers in the pool of available buffers. Valid values are 500 - 700. Default value is 500 buffers. You must restart the IPDB Extractor service after modifications for this value to take effect.
Num Of requests in the poolThe number of requests in the pool. Valid values are 500 - 6000. Default value is 500 requests. You must restart the IPDB Extractor service after modifications for this value to take effect.
Num Of Threads in the threadpoolThe number of threads in the thread pool. Valid values are 50 - 200. Default value is 50 threads. You must restart the IPDB Extractor service after modifications for this value to take effect.
Parse ThreadsThe number of parse threads used for session parsing.  Valid value is a number.  Default is 0 parse threads. of parse threads.  If you specify 0, the server determines the number of threads based on the data volume. You must restart the IPDB Extractor service after modifications for this value to take effect.
Transport URITransport Uniform Resource Identifier (URI) is used to communicate between IPDB client and IPDB Extractor server.  The default value is vives://127.0.0.1:50009. You must restart the IPDB Extractor service after modifications for this value to take effect.
Transport Worker ThreadsThe number of worker threads to process the transport client requests. You must restart the IPDB Extractor service after modifications for this value to take effect.
Use L1 Bloom

Use L1 Bloom for faster retrieval of data from IPDB.  If the Bloom Filter index is enabled for a meta and the event logs contain the meta value that is being requested in the report query, then the corresponding data files are read, else they will be skipped. Default value is checked (use L1 Bloom).

Note: You must have August 2013 or later content packet installed to specify the Use L1 Bloom and Use L2 Bloom options.

Use L2 BloomUse L2 Bloom for faster retrieval of data from the IPDB. If the Bloom Filter index is enabled for a meta and the event logs contain the meta value that is being requested in the report query, then the corresponding data files are read, else they will be skipped. Default value is checked (use L2 Bloom)
Use L2 IndexingUse L2 indexing when retrieving data from the IPDB. Default value is checked (use L2 indexing).
Use Sqlite FilterApply sqlite filter to events. Default value is checked (apply sqlite filter).

Query Settings

The following table describes the IPDB Extractor Query Settings.

                 
NameConfig Value
Query Idle LimitThe time in seconds Security Analytics waits between subsequent data retrieval before it closes a query.  Default value is 3600.
Query Status IntervalThe time in seconds Security Analytics waits between updates to query statistics. Valid value is in the 1 - 200 range. Default value is 10.  Security Analytics sets this value to the Stat Update Interval value in the Profile View > Preferences panel > General Tab if the Query Status Interval is less than the Stat Update Interval.

Parsers Configuration

The Parsers Configuration panel provides a way to select parsers to use on the IPDB Extractor.

The table describes the features of the Parsers Configuration section.

                 
FeatureDescription
Name The names of parsers available to the IPDB Extractor. A plus sign indicates that the metadata generated by the parser is configurable. Clicking the plus sign displays the metadata that the parser can create.
Config Value A checkbox toggles the setting for the parser or metadata on or off. When the box is checked, the IPDB Extractor is using the parser to filter traffic; when unchecked, the IPDB Extractor is not using the parser. If the generated metadata for the parser is configurable, a checkbox selects the metadata the parser will create.

Service Parsers Configuration

The Service Parsers Configuration panel is used to select the service parsers to use on the IPDB Extractor service.

You are here: Services Config View - IPDB Extractor Configuration

Attachments

    Outcomes