This topic introduces features of the Services Config view > General tab for Decoders and Log Decoders.
The General tab for a Decoder in the Services Config view provides a way to manage basic service configuration, configure data capture, and select the parsers that are applied to the captured data.
Settings that set up and tune data capture include:
- Adapter selection
- Cache specification
- Capture autostart and other capture parameters that affect cache, sessions, and timeouts
- Database file sizes
- Location of the hash directory
The first figure is an example of the General tab for a Decoder. The second is the General tab for a Log Decoder.
These are the four major sections in the General tab for Decoders and Log Decoders:
- System Configuration
- Decoder Configuration
- Parsers Configuration
- Service Parsers Configuration (Log Decoders only)
The System Configuration section manages service configuration for a Decoder. When a service is first added, default values are in effect. You can edit these values to tune performance.
The System Configuration section has these parameters.
The Decoder Configuration section provides a way to view and edit service configuration parameters for a Decoder or Log Decoder. When a service is first added, default values are in effect. You can edit these values to manage traffic capture.
Scrolling to the bottom of the section reveals these additional Decoder Configuration parameters.
Adapter parameters configure the network interface for capture. The table below describes the Decoder Adapter settings. The default network adapters available are set at installation. Consult your System Administrator for more information.
The Decoder also supports system-level packet filtering defined using tcpdump/libpcap syntax. Specifying a Libpcap filter can efficiently reduce packet volume based on Layer 2 ‐ Layer 4 attributes. A Libpcap filter is appropriate for use when a Decoder is receiving a traffic volume that is placing a load against the physical resources of the platform. In this scenario, the Decoder may consistently drop packets and have a large number of capture pages available (/decoder/stats/capture.pagefree is high).
The following is an example of a libpcap filter to keep only packets which do not have both source and destination addresses in the 10.21.0.0/16 subnet.
not (src net 10.21.0.0/16 and dst net 10.21.0.0/16)
For a full reference of the Libpcap filter syntax, see the main pages for:
- tcpdump (http://www.tcpdump.org/tcpdump_man.html).
- pcap-filter (http://www.unix.com/man-page/FreeBSD/7/pcap-filter/).
Cache parameters configure the cache directory and size for session cache files. The following table describes the cache settings.
The Capture Settings section provides a way to configure operational capture settings.
This table describes the capture settings.
Database Max File Sizes
The Database Max File Sizes section controls the maximum file size for various databases. The following table describes the parameters.
To calculate the drive sizes and free space for the meta, packet, and/or session, for your environment, perform the following:
- In the Security Analytics menu, select Administration > Services.
- Select a service and select > View > Explore.
The Service Explore View is opened.
- In the Node List select database and right-click and select Properties.
The Properties panel is displayed.
- In the properties panel, from the drop-down list, select reconfig .
- In the Parameters field, enter update = false.
- Click Send.
The Response Output displays the drive sizes and free space for the Meta, packet and session.
Controls data base file hashing options. There is a small performance penalty when hashing. The following table describes the hashing option.
The Parsers Configuration panel provides a way to select parsers to use on the Decoder. Within some parsers, you can also configure the metadata that the parser creates.
Security Analytics has the ability to configure individual parsers that do not store generated metadata on disk (Transient option). This helps administrators to protect certain data and is usually done as part of a data privacy plan (see Data Privacy Management).
The following table describes the features of the Parsers Configuration section.
Additional Service Parsers Configuration for Log Decoder
The Service Parsers Configuration section provides a way to select Service parsers to use on the Log Decoder.