Security Analytics supports two types of Decoders:
- The Decoder, which captures network data in packet form.
- The Log Decoder, which captures log data as events.
A Log Decoder is a special type of Decoder, and is configured and managed in a similar way to a Decoder. Therefore, most of the information in this section refers to both types of Decoders. Differences for Log Decoders are noted.
Adding a Decoder makes it visible and available for use with Security Analytics Administration, Live, and Investigation. To add a service in Security Analytics, you select the service type, provide service connection information, and validate that the service can be reached.
Configuring the Decoder to capture data involves selecting a capture adapter and choosing cache and capture settings.
When the decoder is available in Security Analytics, it is ready to capture traffic. You can configure each Decoder to control the type of traffic captured using rules, feeds, and parsers.
Note: If you install Security Analytics 10.4 on an S5 Decoder appliance, you may experience a drop in packets. In such cases, RSA recommends that you upgrade to Security Analytics version 10.5.