Decoder: Step 2: Configure Capture Settings

Document created by RSA Information Design and Development on Jul 26, 2016Last modified by RSA Information Design and Development on Sep 28, 2016
Version 4Show Document
  • View in full screen mode
 

In RSA Security Analytics, you can configure the adapter for data capture, enable autostart of data capture, select the parsers that are applied to the captured data, and tune data capture.

To set up a Decoder in preparation for capturing data:

  1. In the Security Analytics menu, select Administration > Services.
  2. In the Administration Services view, select the Decoder service and Actions menu cropped > View > Config.
    The Services Config view is displayed with the General tab open, and the most commonly used service settings for a Decoder or Log Decoder are available for editing under Decoder configuration.
    104DecoderConfigField1.png

    104DecoderConfigField2.png

  3. In the Adapter Settings section, configure the network interface for capturing data.
  4. In the Cache section, examine the settings for cache directory and size. If necessary, modify these.
  5. In the Capture Settings sections, review the default values and modify if necessary.
  6. If you want the Decoder to begin capturing data automatically when started, select the Capture Autostart checkbox.
  7. In the Database Max Fiie Sizes section, review the default values and modify if necessary.
  8. In the Database Open Files section, review the default values and modify if necessary.
  9. In the Hash section, define a directory for hash files if you are using this feature. 
  10. Do one of the following:
  • In the Parsers Configuration panel, review the parsers selected to filter traffic and disable, enable, or mark as transient as necessary.
  • If configuring a Log Decoder, review the parsers selected to filter traffic in the Service Parsers Configuration section and disable, enable, or mark as transient as necessary.
  1. To save the changes, click Apply.
  2. If necessary to put the changes into effect, navigate to the Services System view and restart the service.
    At this point, you can start capture (also in the Services System view).
You are here: Required Procedures > Decoder: Step 2: Configure Capture Settings

Attachments

    Outcomes