000027795 - Q&A on Enabling Meta Compression in RSA Security Analytics 10.3

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000027795
Applies ToRSA Security Analytics
RSA Security Analytics 10.3
RSA Security Analytics Log Decoder
RSA Security Analytics Concentrator
Meta Compression
IssueQ&A on Enabling Meta Compression in RSA Security Analytics 10.3.
What is the performance impact of enabling meta compression in Security Analytics?
After enabling compression in Security Analytics, will the existing data/database be compressed?
Can Security Analytics handle the compressed and uncompressed data?
When meta compression is enabled, will there be any performance degradation when running queries or reports in Security Analytics?
Resolution

Question:  What is the performance impact of enabling meta compression in Security Analytics?

Answer:  The performance impact per component is as follows:

Log Decoder : The maximum events per second rate is reduced. The time to retrieve raw logs can from the log decoder is increased.
Concentrator : The maximum rate at which the Concentrator can aggregate from the Log Decoder is reduced.

 

Question:  After enabling compression in Security Analytics, will the existing data/database be compressed?

Answer:  Existing data is always immutable until it is rolled out. However, a concentrator can undergo a Data Reset and reaggreate everything present on the Log Decoder with compression turned on.

 

Question:  Can Security Analytics handle the compressed and uncompressed data?

Answer:  Yes, compression can be turned on or off at will while the system is running. If you change compression settings, it simply starts a new database file.

 

Question:  When meta compression is enabled, will there be any performance degradation when running queries or reports in Security Analytics?

Answer:  Yes, although the impact varies from very small to significant depending on the types of queries and reports that are run. Investigation performance is impacted relatively little because it only uses the index.

Legacy Article IDa65372

Attachments

    Outcomes