This topic provides a procedure for configuring data capture on Decoders and Log Decoders.
In RSA Security Analytics, you can configure the adapter for data capture, enable autostart of data capture, select the parsers that are applied to the captured data, and tune data capture.
To set up a Decoder in preparation for capturing data:
- In the Security Analytics menu, select Administration > Services.
- In the Administration Services view, select the Decoder service and > View > Config.
The Services Config view is displayed with the General tab open, and the most commonly used service settings for a Decoder or Log Decoder are available for editing under Decoder configuration.
- In the Adapter Settings section, configure the network interface for capturing data.
- In the Cache section, examine the settings for cache directory and size. If necessary, modify these.
- In the Capture Settings sections, review the default values and modify if necessary.
- If you want the Decoder to begin capturing data automatically when started, select the Capture Autostart checkbox.
- In the Database Max File Sizes section, review the default values and modify if necessary.
- In the Hash section, define a directory for hash files if you are using this feature.
- Do one of the following:
- In the Parsers Configuration panel, review the parsers selected to filter traffic and disable, enable, or mark as transient as necessary.
- If configuring a Log Decoder, review the parsers selected to filter traffic in the Service Parsers Configuration section and disable, enable, or mark as transient as necessary.
- To save the changes, click Apply.
- If necessary to put the changes into effect, navigate to the Services System view and restart the service.
At this point, you can start capture (also in the Services System view).