Decoder: Step 2. Configure Capture Settings

Document created by RSA Information Design and Development on Jul 21, 2016Last modified by RSA Information Design and Development on Oct 24, 2016
Version 5Show Document
  • View in full screen mode
  

This topic provides a procedure for configuring data capture on Decoders and Log Decoders. 

In RSA Security Analytics, you can configure the adapter for data capture, enable autostart of data capture, select the parsers that are applied to the captured data, and tune data capture.

Procedure

To set up a Decoder in preparation for capturing data:

  1. In the Security Analytics menu, select Administration > Services.
  2. In the Administration Services view, select the Decoder service and Actions menu cropped > View > Config.
    The Services Config view is displayed with the General tab open, and the most commonly used service settings for a Decoder or Log Decoder are available for editing under Decoder configuration.
    DecCfgTop.png

    DecCfgBottom.png

  3. In the Adapter Settings section, configure the network interface for capturing data.
  4. In the Cache section, examine the settings for cache directory and size. If necessary, modify these.
  5. In the Capture Settings sections, review the default values and modify if necessary.
  6. If you want the Decoder to begin capturing data automatically when started, select the Capture Autostart checkbox.
  7. In the Database Max File Sizes section, review the default values and modify if necessary.
  8. In the Hash section, define a directory for hash files if you are using this feature. 
  9. Do one of the following:
  • In the Parsers Configuration panel, review the parsers selected to filter traffic and disable, enable, or mark as transient as necessary.
  • If configuring a Log Decoder, review the parsers selected to filter traffic in the Service Parsers Configuration section and disable, enable, or mark as transient as necessary.
  1. To save the changes, click Apply.
  2. If necessary to put the changes into effect, navigate to the Services System view and restart the service.
    At this point, you can start capture (also in the Services System view).
You are here
Table of Contents > Required Procedures > Step 2. Configure Capture Settings

Attachments

    Outcomes