Configure ESA to Use Capture Time Ordering

Document created by RSA Information Design and Development on Jul 21, 2016Last modified by RSA Information Design and Development on Feb 9, 2017
Version 2Show Document
  • View in full screen mode
  

This topic tells administrators how to configure the ESA to use capture time ordering when using two or more Concentrators as a source. 

By default, ESA uses the ESA time stamp (time at which events are received by the ESA) to correlate events. However,  ESA also supports session-ordering based on capture time (the time at which the packet or log event reached the Decoders). This feature is useful if you are correlating events from two or more Concentrators. When you have two or more Concentrators as sources, time ordering ensures that their sessions are correlated together by capture time. This ensures that sessions captured at the same time are correlated together and alerts are consistent with user’s expectation even with transmission delays. If any of the sources go offline or are slow to send sessions, the ESA will pause to ensure that sessions with same capture timestamps are correlated together.

For example, you have two sources with events that occur at 10:00 a.m. Using Capture Time Ordering, these events are held in the buffer until the ESA detects that all events occurring at 10:00 a.m. have been added to the buffer. Once all the events have arrived, events are then processed using EPL rules. This ensures that a rule has all events with the same time-stamp from different sources in order to obtain correct results. If, for example, one Concentrator lags behind another, the ESA pauses until it has all the events time-stamped at 10:00 a.m. from both sources before it runs the EPL rules against the events. 

Caution: Although this feature increases accuracy, it impacts performance. The default configuration of the ESA ensures that data is constantly streaming, but because Capture Time Ordering uses a buffer, it takes longer to process events. This is especially true if the ESA must pause for any length of time to wait for the buffer to fill. There are several parameters you can configure (see below) to handle this situation; however, there may still be performance impact. 

By default, this feature is disabled.

Capture Time Order Workflow

The following diagram shows the workflow when Capture Time Ordering is enabled. 

  1. Events are time-stamped as they are captured by the Decoder.
  2. After Concentrator processing, events are buffered and ordered. The buffer size is calculated via two parameters MaxEPSExpectedPerSource (the maximum volume of traffic (EPS) you expect per source for the ESA to receive) times TimeOrderHoldWindow( the amount of time to allow for events to arrive from all sources).
  3. The ordered events are then correctly correlated in EPL rules. 

Prerequisites

Two or more Concentrators must be configured as a data source in ESA.

When the StreamEnabled parameter is set to true, it is important that all the machines running Core Services should be in NTP Sync. 

Procedures

The following procedures tell you how to enable and configure Capture Time Ordering.

Enable Buffering and Capture Time Ordering

Note: After an upgrade or in a high EPS environment, you need to re-add datasources to start seeing the benefits. Or, you must wait until the sessions catch up before you enable Capture Time Ordering.

  1. In the Security Analytics menu, select Administration > Services. Select your ESA service and then  > View > Explore
  2.  Go to Workflow > Source nextgenAggregationSource.
  3. Set  the StreamEnabled attribute to true.  StreamEnabled allows ESA to buffer events received from Concentrators.
  4. Set the TimeOrdered attribute to true. This enables  the buffered events to be ordered by the time stamp from the Concentrator.

Configure Capture Time Ordering

When you work with Capture Time Ordering, you need to configure several other parameters to ensure performance. The following table shows parameters and their function. Configuring these parameters requires knowledge of your traffic volume and rate.

Note: If you do not know your traffic volume or latency, consult with your Professional Services representative before configuring this feature.

                   
MaxEPSExpectedPerSource

Specify the maximum volume of traffic (EPS, or events per second) you expect for the ESA service to receive from your busiest source (for example, if one source receives 20K EPS, and another receives 25K EPS, set the value at 25K EPS).

If you set this rate too low, there is a short-term impact on performance. However, ESA automatically increases the value for MaxEPSExpectedPerSource as needed to make progress in Time Ordered mode.

The default value is 20K.

TimeOrderHoldWindow

Specify in seconds (whole integers) the amount of time to allow for events to arrive from all sources. 

Configure this value based on the latency between the sources.

The default value is 2 seconds. Decreasing this value can increase the chance of dropped events. Increasing this value can decrease performance because more memory is consumed. 

IdleSourceAdvanceAfterSeconds

Specify the interval (in seconds) after which the ESA takes an idle source (no events are coming from the source, but the source is not offline) out of the equation to allow progress on a capture time ordered stream. The default value is 0, meaning that the ESA waits indefinitely for events to arrive.

OfflineSourceAdvanceAfterSeconds

Specify the interval (in seconds) after which the ESA takes an offline source out of the equation to allow progress on a capture time ordered stream. The default value is 0, which means the ESA waits indefinitely. This parameter does not affect the re-connection retries; those which are performed in all cases.

Troubleshooting Tips

Using this feature, it is possible to encounter a situation where events become backlogged. To fix this issue, you can perform one of the following options.

Disable Capture Time Ordering

  1. In the Security Analytics menu, select Administration > Services. Select your ESA service and then  > View > Explore. 
  2.  Go to Workflow > Source > nextgenAggregationSource.
  3. Set  the StreamEnabled attribute to false. 
  4. Set the TimeOrdered attribute to false. 

If you disable Capture Time Ordering, you will lose the backlogged data, and events will no longer be ordered by capture time. 

Disable Position Tracking

Position tracking allows ESA to track where it stopped processing events if the ESA stops or is shut down. Position tracking is enabled by default with Capture Time Ordering. If you disable position tracking, this allows ESA to skip the backlogged events. For example, if the ESA goes down at 7:00 a.m., and you restart it at 11:00 a.m. with position tracking disabled, the ESA will start processing events that occurred at 10:55 a.m. With position tracking enabled, the ESA will start processing events at the point at which it stopped.

  1. In the Security Analytics menu, select Administration > Services. Select your ESA service and then  > View Explore
  2.  Go to Workflow Source nextgenAggregationSource.
  3. Set  the PositionTrackingEnabled attribute to false. 

If you disable Position Tracking, you will lose the backlogged data, but going forward, events will be ordered by capture time. 

You are here
Table of Contents > Additional ESA Procedures > Configure ESA to Use Capture Time Ordering

Attachments

    Outcomes