Host GS: Decoder Configuration Parameters

Document created by RSA Information Design and Development Employee on Nov 7, 2017Last modified by RSA Information Design and Development Employee on Sep 8, 2020
Version 11Show Document
  • View in full screen mode
 

The following list describes the configuration parameters that are identical on both Network Decoder and Log Decoder services.

                                                                                                                                                     
Configuration Path<service>/config
aggregate.buffer.size Displays the size of the buffer (default unit is KB) used per round of aggregation. Larger buffers may improve aggregation performance but could impact capture performance. Change takes effect after capture restart.
aggregate.precache Determines if the decoder will pre-cache the next round of aggregation for upstream services. Can improve aggregation performance but could impact capture performance. Change takes effect immediately.
assembler.pool.ratio Displays the percentage of pool pages that assembler manages and uses for the assembly process. Change takes effect on service restart.
assembler.session.flush Flushes sessions either when they are complete, or when they are parsed. Change takes effect on service restart.
assembler.session.pool Lists the number of entries in the session pool. Change takes effect on service restart.
assembler.size.max Lists the maximum size that a session will obtain. A setting of 0 removes the session size limit. Change takes effect immediately.
assembler.size.min Lists the minimum size that a session must be before persisting. Change takes effect immediately.
assembler.timeout.packet Lists the number of seconds before packets are timed out. Change takes effect immediately.
assembler.timeout.session Lists the number of seconds before sessions are timed out. Change takes effect immediately.
assembler.voting.weights Displays the weights used to determine which session stream is marked client and server. Change takes effect immediately.
capture.autostart Determines if capture begins automatically when the service starts. Change takes effect on service restart.
capture.buffer.size Displays capture memory buffer allocation size (default unit is MB). Change takes effect on service restart.
capture.device.params

Displays capture service specific parameters. Change takes effect on service restart.

The parameters understood by this field are specific to the currently selected capture device. If any of the parameters are not recognized by the current capture device, they are ignored.

On Log Decoders, there is only the Log Events capture device. It accepts some optional parameters.

  • use-envision-time: If this is set to 1, the time metadata for each event will be imported from the Log Collector stream. If this is 0 or not set, the imported event time will be stored in the event.time meta.
  • port: This parameter can be set to a numeric value to override the default syslog port listener, 514.
capture.selected Displays current capture service and interface. Change takes effect immediately.
export.expire.minutes Lists the number of minutes before export cache files are expired and flushed. Change takes effect immediately.
export.packet.enabled Allows export of packet data, if enabled. Change takes effect on service restart.
export.packet.local.path Displays the local location to cache packet exported data. Optional assigned max size (=#unit), units are: t for TB; g for GB, m for MB. Change takes effect on service restart.
export.packet.max Displays the maximum packets per exported file. For export file types that cache this determines cached memory sizes. Zero is no limit. Change takes effect immediately.
export.packet.remote.path Lists the remote protocol (nfs://) and location to export data. Change takes effect on service restart.
export.packet.size.max Displays the packet maximum bytes per exported file. For export file types that cache this determines cached memory sizes. Zero is no limit. Change takes effect immediately.
export.rollup Determines the rollup interval for export files. Change takes effect on service restart.
export.session.enabled Allows export of session data, if enabled. Change takes effect on service restart.
export.session.format Determines the file format used during session export. Change takes effect on service restart.
export.session.local.path Displays the local location to cache session exported data. Optional assigned max size (=#unit), units are: t for TB; g for GB, m for MB. Change takes effect on service restart.
export.session.max Displays the maximum sessions per exported file. For export file types that cache, this determines cached memory sizes. Zero is no limit. Change takes effect immediately.
export.session.meta.fields Determines which meta fields are exported. Comma-separated list of fields.
* means all fields.
* plus field list means all fields BUT listed fields.
Just field list means only those fields are included.
Change takes effect immediately.
export.session.remote.path Displays the remote protocol (nfs://) and location to export data. Change takes effect on service restart.
export.session.size.max Lists the session maximum bytes per exported file. For export file types that cache, this determines cached memory sizes. Zero is no limit. Change takes effect immediately.
export.usage.max Lists the session maximum bytes per exported file. For export file types that cache, this determines cached memory sizes. Zero is no limit. Change takes effect immediately.
parse.threads Lists the number of parse threads to use for session parsing. Zero means let server decide. Change takes effect on service restart.
pool.packet.page.size Displays the size of a packet page (default is KB). Change takes effect on service restart.
pool.packet.pages Lists the number of packet pages decoder will allocate and use. Change takes effect on service restart.
pool.session.page.size Displays the size of a session page (default is KB). Change takes effect on service restart.
pool.session.pages Lists the number of session pages decoder will allocate and use. Change takes effect on service restart.

You are here
Table of Contents > References > Service Configuration Parameters > Decoder Configuration Parameters

Attachments

    Outcomes