SA Cfg: Decoder and Log Decoder Statistics

Document created by RSA Information Design and Development on Jul 29, 2016
Version 1Show Document
  • View in full screen mode
 

This topic lists and describes the available appliance statistics for RSA Security Analytics Decoders and Log Decoders. Statistics that apply only to Decoders and Log Decoders reside in decoder/stats.

Available Decoder and Log Decoder Statistics

The following table describes the available Decoder and Log Decoder statistics.

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  
ResourceDescription
Connections 
alive.sinceDisplays the time in UTC when this connection was established.
connection.typeDisplays the type of connection, either native or rest.
bytes.compressed.receivedDisplays the amount of compressed bytes received from this connection. No longer used in Security Analytics 10.2
bytes.compressed.sentDisplays the amount of compressed bytes sent from this connection. No longer used in Security Analytics 10.2
bytes.max.message.receivedDisplays the largest message in bytes received from this connection. No longer used in Security Analytics 10.2
bytes.max.message.sentDisplays the largest message in bytes sent from this connection. No longer used in Security Analytics 10.2.
bytes.uncompressed.receivedDisplays the amount of uncompressed bytes received from this connection. No longer used in Security Analytics 10.2
bytes.uncompressed.sentDiplays the amount of uncompressed bytes sent from this connection. No longer used in Security Analytics 10.2
last.activityDisplays the time in UTC when the last request or response was received or sent.
messages.receivedLists the number of messages received from this connection.
messages.sentLists the number of messages sent from this connection.
Database 
chain.totalLists the number of chains in the database. No longer used in Security Analytics 10.2
meta.bytesLists the number of meta bytes in the database.
meta.first.idDisplays the lower bound meta ID in the database.
meta.last.idDisplays the upper bound meta ID in the database.
meta.oldest.file.timeDisplays the creation date-time of the oldest file in the meta database.
meta.rateLists the rate that metadata objects are being written to the database, where current is the currently reported meta per second rate. Values are rolling average samples over a short time period (10 seconds). After CAPTURE stops, current is reset to zero.
meta.rate.maxLists the rate that metadata objects are being written to the database, where max is the maximum meta per second rate seen since CAPTURE was started. Values are rolling average samples over a short time period (10 seconds). After CAPTURE stops, max should still show the maximum value during CAPTURE.
meta.totalLists the number of metadata in the database.
packet.bytesLists the number of packet bytes in the database.
packet.first.idDisplays the lower bound packet ID in the database.
packet.last.idDisplays the upper bound packet ID in the database.
packet.oldest.file.timeDisplays the creation date-time of the oldest file in the packet database.
packet.rateLists the rate that packets are being written to the database, where current is the currently reported packets per second rate since CAPTURE was started. Values are rolling average samples over a short time period (10 seconds). After CAPTURE stops, current is reset to zero.
packet.rate.maxLists the rate that packets are being written to the database, where max is the maximum packets per second rate seen since CAPTURE was started. Values are rolling average samples over a short time period (10 seconds). After CAPTURE stops, max should still show the maximum value during CAPTURE.
packet.totalLists the current number of packet objects held in the packet database. This value shrinks when the database rolls files off due to size constraints. This value is not reset when CAPTURE stops.
session.bytesLists the number of session bytes in the database.
session.first.idLists the lower bound session ID in the database.
session.last.idLists the upper bound session ID in the database.
session.oldest.file.timeLists the creation date-time of the oldest file in the session database.
session.rateLists the rate that sessions are written to the database, reported as sessions per second rate. Values are rolling average samples over a short time period (10 seconds). After CAPTURE stops, current is reset to zero.
session.rate.maxLists the maximum rate that sessions are written to the database, reported as sessions per second rate. Values are rolling average samples over a short time period (10 seconds). After CAPTURE stops, max should still show the maximum value during CAPTURE.
session.totalLists the total number of sessions held in the session database. This value shrinks when the database rolls files off due to size constraints. This value is not reset when CAPTURE stops.
statusLists the current status of all the databases on DECODER. Valid values are:
  • closed- SYSTEM is initializing and databases have not yet been opened. This value is seldom seen.
  • opened- The database opened normally and is available for QUERY and UPDATE.
  • failure- The database failed to open. This can happen for any number of reasons. You can check this if CAPTURE fails to start or if queries fail to return data. This is normally caused by database corruption.
Decoder 
assembler.client.bytesLists the number of packet bytes assembled that belong to the client portion of the session. This does not include any packets that have been dropped or filtered via network rules and does not include any session packets that have not been assembled. This statistic is reset to zero when CAPTURE is started.
assembler.client.retransLists the number of packets seen by the assembler that belong to the client and have been detected to be re-transmissions. This does not include any packets that have been dropped or filtered via network rules and does not include any session packets that have not been assembled. This statistic is reset to zero when CAPTURE is started.
assembler.packet.bytesLists the number of bytes currently contained in all the packets in the assembler packet pool. This value shrinks and expands as packets enter and exit the assembler.
assembler.packetsLists the number of packets currently held in the assembler during CAPTURE. This value should be at near capacity of the config value assemble.packetpool since the longer a session's packets are held in assembler, the better the metadata for the session. The assembler's pool is a percentage (currently 95%) of assemble.packetpool. This can be controlled by the config entry assemble.packetpool. After CAPTURE stops, this value is reset to zero.
assembler.packet.pagesLists the number of packet pages waiting to be assembled.
assembler.client.goodput.rateLists the current rate of client packet payload bytes minus and payload of retransmitted packets, where current is the currently reported goodput rate since capture was started. Values are rolling average samples over a short time period (10 seconds). After CAPTURE stops, current is reset to zero.
assembler.client.goodput.rate.maxLists the current rate of packet payload bytes minus and payload of retransmitted packets, where max is the maximum goodput rate seen since CAPTURE was started. Values are rolling average samples over a short time period (10 seconds). After CAPTURE stops, max should still show the maximum value during CAPTURE.
assembler.meta.rateLists the current average metadata per session, where current is the currently reported metadata per session rate since CAPTURE was started. Values are rolling average samples over a short time period (10 seconds). After CAPTURE stops, current is reset to zero.
assembler.meta.rate.maxLists the current average metadata per session, where max is the maximum metadata per session rate since CAPTURE was started. Both values are rolling average samples over a short time period (10 seconds). After CAPTURE stops, max should still show the maximum value during CAPTURE.
assembler.packet.rateLists the current average packets per session rate, where current is the currently reported packets per session rate. Values are rolling average samples over a short time period (10 seconds). After capture stops, current is reset to zero.
assembler.packet.rate.maxLists the maximum average packets per session rate, where max is the maximum packets per session rate since CAPTURE was started. Values are rolling average samples over a short time period (10 seconds). After CAPTURE stops, max should still show the maximum value during CAPTURE.
assembler.server.goodput.rateLists the current rate of server goodput bytes minus and payload of retransmitted packets, where current is the currently reported goodput rate. Values are rolling average samples over a short time period (10 seconds). After CAPTURE stops, current is reset to zero.
assembler.server.goodput.rate.maxLists the maximum average server goodput bytes per session rate, where max is the maximum reported goodput rate since CAPTURE was started. Values are rolling average samples over a short time period (10 seconds). After CAPTURE stops, max should still show the maximum value during CAPTURE.
assembler.server.bytesLists the number of packet bytes that have been assembled that belong to the server portion of the session. This does not include any packets that have been dropped or filtered via network rules and does not include any session packets that have not been assembled. This statistic is reset to zero when CAPTURE is started. 
assembler.server.retransLists the number of packets seen by the assembler that belong to the server and have been detected to be re-transmissions. This does not include any packets that have been dropped or filtered via network rules and does not include any session packets that have not been assembled. This statistic is reset to zero when CAPTURE is started. 
assembler.sessionsLists the number of sessions currently held in the assembler during capture. This value should be at near capacity of the config value assembler.sessionpool, since the longer a session is held in assembler, fewer new sessions can get created for the same session. This can be controlled by the config entry assembler.sessionpool. After CAPTURE stops, this value is reset to zero. 
assembler.sessions.forcedLists the number of sessions forced out of pool.    
assembler.sessions.splitLists the number of sessions split due to size limits.    
assembler.sessions.timed.outLists the number of sessions that timed out.    
assembler.timespanLists the time span in seconds from the newest to oldest packets in assembler. 
capture.avg.sizeLists the average packet full data size on all packets captured using a 10-second rolling window. 
capture.serviceLists the current network service name being used for CAPTURE.
capture.droppedLists the number of packets reported by the network card as dropped. After CAPTURE stops, this value is reset to zero. 
capture.dropped.percentLists the current value of percent of packets dropped.    
capture.dropped.percent.maxLists the maximum value of packets dropped.    
capture.filteredLists the number of packets filtered by rules during CAPTURE.    
capture.header.bytesLists the number of packet header bytes captured.    
capture.interfaceLists the current network adapter on capture.service being used for capture.    
capture.keptLists the number of packets kept during capture.    
capture.payload.bytesLists the number of packet payload bytes captured.    
capture.rateLists the current capture rate, where current is the currently reported Mbps rate. Values are rolling average samples over a short time period (10 seconds). After CAPTURE stops, current is reset to zero. 
capture.rate.maxLists the current capture rate, where max is the maximum Mbps rate seen since CAPTURE was started. Values are rolling average samples over a short time period (10 seconds). After CAPTURE stops, max should still show the maximum value during CAPTURE. 
capture.packet.rateLists the current capture rate, where current is the currently reported packets per second rate. Values are rolling average samples over a short time period (10 seconds). After CAPTURE stops, current is reset to zero. 
capture.packet.rate.maxLists the current capture rate, where max is the maximum packets per second rate seen since CAPTURE was started. Values are rolling average samples over a short time period (10 seconds). After CAPTURE stops, max should still show the maximum value during CAPTURE. 
capture.receivedLists the number of packets received from the network card. This statistic is reset to zero when CAPTURE is started. 
capture.statusLists the current status of CAPTURE on DECODER. Valid values are:
  • starting- CAPTURE START has been requested but not yet completed.
  • started- CAPTURE is currently running.
  • stopping- CAPTURE STOP has been requested but not yet completed.
  • stopped- CAPTURE is not running.
  • disabled- The system is a CONCENTRATOR.
capture.total.bytesLists the total number of packet bytes received from the network card. This does not include dropped packets. This statistic is reset to zero when CAPTURE is started. 
correlation.results.createdLists the number of correlation sessions created.
correlation.results.droppedLists the number of correlation sessions dropped due to insufficient system resources.
export.packet.cache.filesLists the number of packet export cache files that are waiting export.
export.packet.percent.usageLists the percent of packet export cache storage used.
export.packet.remote.statusLists the status of packet export remote storage location.
export.session.cache.filesLists the number of session export cache files that are waiting export.
export.session.percent.usageLists the percent of session export cache storage used.
export.session.remote.statusLists the status of session export remote storage location.
limiter.bytes.rateDisplays the current limiter throughput in bytes per second.
limiter.bytes.rate.maxDisplays the maximum limiter throughput in bytes per second.
limiter.engagedIndicates whether the limiter is engaged.0 = No
1 = Yes 
limiter.packets.droppedLists the total number of packets dropped while limiter is engaged.
pool.packet.assemblerLists the number of packet pages waiting to be assembled.
pool.packet.captureLists the number of packet pages available for capture.
pool.packet.collectLists the number of packet pages waiting to be collected for reuse.
pool.packet.exportLists the number of packet pages waiting to be exported.
pool.packet.writeLists the number of packet pages currently in the PCS pipeline that need to be written to the database.
pool.session.correlateLists the number of session pages waiting to be correlated.
pool.session.decrementLists the number of session pages waiting to be decremented.
pool.session.exportLists the number of session pages waiting to be exported.
pool.session.streamLists the number of session pages waiting to be streamed.
pool.session.writeLists the number of session pages waiting to be written.    
rule.alert.sessionDisplays a real time alert (over SNMP) that updates this stat with the session id when a rule triggers.
time.beginLists the time of the first packet seen during CAPTURE. This value is actually the time of the first packet stored in the packet database. This value increases as packets are rolled out of the packet database. The data is in the format YYYY.MM.DD.mm.ss, where YYYY is the 4-digit year, MM is the 2-digit month, DD is the two-digit day, mm is the 2-digit minute, and ss is the 2-digit second. 
time.captureLists the length of time CAPTURE has been running followed by the time span represented by time.begin and time.end, separated by a comma. This increases as new packets are captured. 
time.endLists the time of the last packet seen during CAPTURE. This value is pulled from the packet as the packet is being written to the database. This increases as new packets are captured. The data is in the format YYYY.MM.DD.mm.ss, where YYYY is the 4-digit year, MM is the 2-digit month, DD is the two-digit day, mm is the 2-digit minute, and ss is the 2-digit second. 
Index 
checkpoint.pageDisplays the upper-bound page ID for the last checkpoint save.
checkpoint.summaryDisplays the upper-bound summary ID for the last checkpoint save.
db.sizeDisplays the size on disk of the index database (bytes).
memory.usedLists the memory used by the index for values (bytes).
meta.first.idDisplays the lower-bound meta ID being tracked by the index. No longer used in Security Analytics 10.2
meta.last.idDisplays the upper-bound meta ID being tracked by the index. No longer used in Security Analytics 10.2    
page.first.idDisplays the first page ID in the index page database.
page.last.idDisplays the last page ID in the index page database.
pages.totalLists the total number of pages in the index page database.
pages.addedLists the number of pages added since the service started.
session.first.idDisplays the lower-bound session ID being tracked by the index.
session.last.idDisplays the upper-bound session ID being tracked by the index.
sessions.since.saveLists the total number of sessions added to the index since the last checkpoint save.
summary.first.idDisplays the first summary ID being tracked by the index.
summary.last.idDisplays the last summary ID being tracked by the index.
summary.totalLists the total number of summaries in the index summary database.
time.beginDisplays the time (UTC) of the first session being tracked by the index. The intent of this statistic, in combination with time.end, is to track the newest and oldest packet encountered while capturing and importing. In the case of live capture, these values are not interesting as time is consistently increasing for all packets; however, when importing, packet times can be random. It is this random time range that these stats are intended to catch, but the stats are initialized from the database, which may mask the actual import time range.
time.endDisplays the time (UTC) of the last session being tracked by the index.
values.addedLists the number of values added since the service started.
Logs 
first.idDisplays the log ID of the first log message in the database.
last.failure.idDisplays the log ID of the last failure message in the database.
last.idDisplays the log ID of the last log message in the database.
last.warning.idDisplays the log ID of the last warning message in the database.
totalLists the total number of log messages stored in the database.    
Parsers 
bytes.parsedLists the number of bytes parsed.
bytes.seenLists the number of bytes seen by the parsers.
feed.countLists the number of loaded feeds.
feed.memoryLists the number of bytes used by the currently loaded feeds.
lexer.bytesLists the number of bytes used by the lexer.
lexer.tokensLists the number of tokens created by the lexer.
load.timeDisplays the last time when all parsers (re)loaded.
lua.memoryLists the total number of bytes used by the Lua engine.
parser.countLists the number of loaded parsers.
parser.memoryLists the number of bytes used by the parsers, excluding the lexer tokens.
pool.session.completeLists the number of sessions waiting to be completed.
pool.session.parseLists the number of sessions waiting to be parsed.
queue.packet.pagesLists the number of packet pages in the parse pool.
queue.sessions.totalLists the total number of sessions in the parse threads and queues.
System 
config.filenameDisplays the configuration filename used by this service.
computer.idComputer ID needed to license the service. No longer used in Security Analytics 10.2
cpuDisplays the current CPU utilization.
current.timeDisplays the current time (UTC) as set by the operating system.
hostnameLists the hostname of this service.
memory.processLists the memory (in bytes) used by this process.
memory.process.maxLists the maximum memory (in bytes) used by this process.
memory.systemLists the memory (in bytes) used by this process.
memory.totalLists the total memory (in bytes) installed in this service.
moduleDisplays the name of this service.
revisionDisplays the software revision of this service.
running.sinceDisplays the time (UTC) when this service was started.
service.nameLists the hostname or user supplied service name used for aggregation.
service.statusDisplays the current status of this service (ready means fully initialized to accept all valid commands).
system.infoLists information about the system.
uptimeLists the amount of time this service has been running.
versionDisplays the software version of this service.
You are here: References > Service Statistics > Decoder and Log Decoder Statistics

Attachments

    Outcomes