000034032 - How to set the maximum number of alerts or events sent through the RSA Unified Collector Framework (UCF) in RSA Archer

Document created by RSA Customer Support Employee on Sep 19, 2016Last modified by RSA Customer Support on Sep 16, 2019
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000034032
Applies ToRSA Product Set: RSA Archer Suite
RSA Product/Service Type: Security Operations Management (SecOps)
RSA Version/Condition: 1.2 and 1.3
IssueBy default, the Unified Collector Framework (UCF) sends all the alerts associated with an incident and all the events associated with an alert into the RSA Archer Security Operations Management solution. If this is more data than you need, you can set limits on the number of alerts or events sent.
Resolution
  1. Stop the UCF, as follows:
    1. Click Control Panel > Administrative Tools > Services.
    2. Select RSA Unified Collector Framework.
    3. Click Stop.
  2. Open the <ucf_intall_dir>\config\collector-config.properties file.
  3. Do one or both of the following:
    1. In the sa.alertsInIncident property, enter a valid integer. To allow all alerts,enter a value of 0.
    2. In the sa.eventsInAlert property, enter a valid integer. To allow all events,enter a value of 0.
  4. Save the <ucf_intall_dir>\config\collector-config.properties file.
  5. Start the UCF, as follows:
    1. Click Control Panel > Administrative Tools > Services.
    2. Select RSA Unified Collector Framework.
    3. Click Start.

Attachments

    Outcomes