000029545 - Security Analytics 10.3 & 10.4: How to throttling VLC traffic to Local Collector (Log Decoder) when limited bandwidth is an issue

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000029545
Applies ToRSA Security Analytics 10.3
RSA Security Analytics 10.4
RSA Security Analytics Log Collector

RSA Security Analytics Virtual Log Collector
IssueThere is some scenarios where limited bandwidth between VLC (remotely using VPN or small bandwidth) and LC that can be resolved by using a script that RSA provides to throttle traffic.  This script is located on the VLC and is called set-shovel-transfer-limit.sh
TasksThe script is located on /opt/netwitness/bin/set-shovel-transfer-limit.sh on the VLC.
Running the script without any usage will print out usage as seen below: 
Usage: ./set-shovel-transfer-limit.sh -s|-c|-d|-m [-i interface] [-p port] [-r rate]
      -c = clear existing
         ex.   tc qdisc del dev eth0 root
               iptables --flush OUTPUT --table mangle
      -d = display filter
         ex.   iptables -t mangle -n -v -L
               tc -s -d class show dev eth0
      -m = monitor filter
         ex.  watch tc -s -d class show dev eth0
      -s = set new values
          interface is the name of the network interface. default=eth0
          port is the port number for rabbit shovel.  default=5671
          rate is the bandwidth rate. default=256kbps
          Bandwidths or rates can be specified in:
            kbps = Kilobytes per second
            mbps = Megabytes per second
            kbit = Kilobits per second
            mbit = Megabits per second
            bps  = Bytes per second
            "nolimit" disables
ResolutionThis syntax example demonstrates limiting bandwidth between VLC and the Local Collector (Log Decoder) to 512kbps, noting that the commands are run as root from the command line on the VLC:
#/opt/netwitness/bin/set-shovel-transfer-limit.sh -s -r 512kbps
Stats can be seen by running the following command:

#/opt/netwitness/bin/set-shovel-transfer-limit.sh -m watch tc -s -d class show dev eth0