|Applies To||RSA Product Set: Security Analytics|
RSA Product/Service Type: Decoder
RSA Version/Condition: 10.5.x
O/S Version: EL6
|Notes||Testing rules of thumb:|
1. Begin testing with only native parsers, and exclude SMB/WebMail.
2. Do not download any Live content until testing baselines are established and optimim performance throughput is seen.
3. Live content should be added in very slowly - especially parsers. Parsers can have a dramatic effect on performance.
4. When the DACs do not have enough throughput to sustain the capture speed, this log message will be seen on the 10G Decoder in /var/log/messages:
[Warning] Write thread blocked waiting for previous file flush to finish: packet-XXXXXXX.nwpdb
5. Add only one or two parsers in at a time
6. Measure the performance impact of those new parsers during peak capture times, keep deltas.
7. If drops start occurring when they didn't happen before, disable any recently added parsers/rules/feeds to the last stable delta.
8. Avoid inefficient parsers as a rule.
9. Feeds by rule cause fewer performance impacts. However best practice dictates to minimize the number of feeds (especially large feeds) added at any given time to measure performance impacts
10. Rules also tend to have lower observable performance impact, though again, it is ill advised to add a large number of rules at once without measuring the performance impact