This topic provides a procedure for configuring data capture on Decoders and Log Decoders.
In RSA Security Analytics, you can configure the adapter for data capture, enable autostart of data capture, select the parsers that are applied to the captured data, and tune data capture.
To set up a Decoder in preparation for capturing data:
- In the Security Analytics menu, select Administration > Services.
- In the Administration Services view, select the Decoder service and > View > Config.
The Services Config view is displayed with the General tab open, and the most commonly used service settings for a Decoder or Log Decoder are available for editing under Decoder configuration.
- In the Adapter Settings section, configure the network interface for capturing data.
- In the Cache section, examine the settings for cache directory and size. If necessary, modify these.
Note: If you are capturing data on hybrid systems (systems with more than one core service in use), set up separate cache directories for each core service.
- In the Capture Settings sections, review the default values and modify if necessary.
- If you want the Decoder to begin capturing data automatically when started, select the Capture Autostart checkbox.
- In the Database Max File Sizes section, review the default values and modify if necessary.
- In the Hash section, define a directory for hash files if you are using this feature.
- Do one of the following:
- In the Parsers Configuration panel, review the parsers selected to filter traffic and disable, enable, or mark as transient as necessary.
- If configuring a Log Decoder, review the parsers selected to filter traffic in the Service Parsers Configuration section and disable, enable, or mark as transient as necessary.
- To save the changes, click Apply.
- If necessary to put the changes into effect, navigate to the Services System view and restart the service.
At this point, you can start capture (also in the Services System view).
VLAN Fixup Configuration
When capturing traffic containing VLAN tags, you may need to configure the Packet MMAP capture interface to preserve the VLAN tags in the packets. By default, the network capture hardware removes the tags. Performing the VLAN fixup preserves the tags in the packets, and the tag values are parsed into VLAN meta data for further analysis.
There are two mechanisms for enabling the VLAN fixup.
- Option 1: Set vlan-fix=true within capture.device.params. This option performs the VLAN fixup on all traffic entering the Decoder. This option is appropriate in most cases, since it is assumed that all the traffic will be VLAN tagged. This mechanism works on either single-interface mode, or on all-interfaces mode.
- Option 2: Use the interfaces parameter within capture.device.params on a per-device basis. The interfaces parameter, as described above, accepts a comma-separated list of interface names on which to capture packets. By adding :vlan to an interface name, you can enable the VLAN fixup on individual interfaces. If the interface does not have the :vlan suffix added, it will not perform the VLAN fixup.
After editing this parameter, you must restart capture on the Decoder in order for changes to capture.device.params to take effect.
These are examples of both options.
|capture.device.params||vlan-fix=true||VLAN fixup always performed on all interfaces|
|capture.device.params||interfaces=eth0:vlan,eth1||VLAN fixup performed on traffic capture on eth0 interface only|
|VLAN fixup always performed: vlan-fix overrides interfaces setting|