The General tab for a Broker or Concentrator in the Services Config helps manage basic service configuration, configure the aggregate service, and configure the aggregation process between a Broker or Concentrator and the aggregate service.
Configuring the aggregate service (whose data is consumed and aggregated) includes:
- Adding, editing, and deleting Concentrators and Brokers as aggregate services
- Toggling an aggregate service online and offline
- Monitoring statistics for aggregate services
- Starting and stopping aggregation
Configuring the aggregation process includes setting:
- Aggregation autostart
- Timing and performance parameters, such as the number of sessions per round of aggregation and time between rounds
- The timing of attempts to restart, reconnect, or take offline a non-responsive aggregate service
What do you want to do?
|Role||I want to...||Refer to...|
Start and Stop aggregation
Add, edit, delete, and toggle an aggregate service
|Aggregate Services Section|
Manage System Configuration
|System Configuration Section|
This is an example of the General tab for a Concentrator.
This is an example of the General tab for a Broker.
These are the three major sections in the General tab for Brokers and Concentrators:
- Aggregate Services
- System Configuration
- Aggregation Configuration
The Aggregate Services section provides a way to start and stop aggregation, as well as add, edit, delete, and toggle an aggregate service. This is an example of the Aggregate Services section for a Concentrator.
The Aggregate Services section toolbar offers these options.
The Aggregate Services section list has these columns.
|Address||Lists the address of the service.|
|Port||Lists the port on which the service listens. The default ports are: |
|Rate||Lists the number of metadata objects being written to the database per second. Values are rolling average samples over a short time period (10 seconds). After capture stops, the rate is reset to 0.|
|Max||Lists the maximum number of metadata objects written to the database per second since capture started. Values are rolling average samples over a short time period (10 seconds). After capture stops, Max continues to show the maximum value during capture.|
|Behind||Lists the number of sessions on the service that need to be aggregated.|
|Collection||For Brokers only, indicates the collection that was selected when the Analyst Workbench service was added to the Aggregate Services section.|
|Meta Fields||For Concentrators only, lists the types of metadata being consumed by the aggregate service.|
|Filter||For Concentrators only, a rule expression (as used in a ‘where’ clause) can be used to filter the results. You must add a meta key along with an operator and a value, for example ip.src !=127.0.0.1 && word exists|
|Meta Include||For Concentrators only, lists the number of types of meta included in the aggregate service.|
|Grouped||Whether or not the aggregate service is part of a group.|
|Status||Lists the current status of the service: |
The System Configuration section manages service configuration for a service. When a service is first added, default values are in effect. You can edit these values to tune performance.
|Compression||The minimum number of bytes that must be transmitted per response before compression. A setting of 0 disables compression. The default value is 0.|
A change in value is effective immediately for all subsequent connections.
|Port||The port on which the service listens. The default ports are: |
|SSL FIPS Mode||When enabled (on), the security of data transmission is managed by encrypting information and providing authentication with SSL certificates. The default value is off.|
|SSL Port||Indicates the SSL port.|
|Stat Update Interval||The number of milliseconds between statistic updates on the system. Lower numbers cause more frequent updates and can slow down other processes. The default value is 1000.|
A change in value is effective immediately.
|Threads||The number of threads in the thread pool to handle incoming requests. A setting of 0 lets the system decide. The default value is 15. |
A change takes effect on service restart.
Aggregation Configuration Section
The Aggregation Configuration section provides configuration settings that affect various aspects of the aggregation process. When you click Apply, the changes are saved; however, not all settings take effect immediately. The tables for Aggregation Settings and Service Heartbeat provide details.
The following table describes the aggregation settings
|Aggregate Autostart||Option to start aggregation automatically each time the Broker or Concentrator is started. Checked means yes, unchecked means no. This change takes effect immediately.|
|Aggregate Hours||The number of hours back for each service that the Concentrator or Broker attempts to recover at the beginning of aggregation. This change takes effect immediately. |
|Aggregate Interval||The number of milliseconds between rounds of service aggregation. All services managed by the Broker or Concentrator request additional rounds of session and metadata to be aggregated. If a Broker or Concentrator is still consuming the previous round of data, it cannot request more until it finishes. Change takes effect immediately.|
|Aggregate Max Sessions||The maximum number of sessions that the Broker or Concentrator requests in a given round of data aggregation. Change takes effect after restart.|
In communicating with each aggregate service, Brokers and Concentrators monitor the heartbeat of the service. These parameters specify the timing of the first attempt to reconnect to a service after an error, the next attempt to reconnect, and taking the service offline after failure to reconnect.
|Heartbeat Error Restart||After a heartbeat error is detected on an aggregate service, specifies the number of seconds for a Broker or Concentrator to wait before attempting a service reconnect.|
|Heartbeat Next Attempt||After a failed attempt to reconnect to an aggregate service, specifies the number of seconds for a Broker or Concentrator to wait before attempting another service reconnect. Change takes effect immediately.|
|Heartbeat No Response||After failing to reconnect to an unresponsive service, specifies the number of seconds for the Broker or Concentrator to wait before taking the unresponsive service offline. Change takes effect immediately.|
When editing parameters in the General tab, you must click Apply to save changes.