Services Config View - Broker or Concentrator General TabServices Config View - Broker or Concentrator General Tab
The General tab for a Broker or Concentrator in the Services Config helps manage basic service configuration, configure the aggregate service, and configure the aggregation process between a Broker or Concentrator and the aggregate service.
Configuring the aggregate service (whose data is consumed and aggregated) includes:
- Adding, editing, and deleting Concentrators and Brokers as aggregate services
- Toggling an aggregate service online and offline
- Monitoring statistics for aggregate services
- Starting and stopping aggregation
Configuring the aggregation process includes setting:
- Aggregation autostart
- Timing and performance parameters, such as the number of sessions per round of aggregation and time between rounds
- The timing of attempts to restart, reconnect, or take offline a non-responsive aggregate service
What do you want to do?What do you want to do?
|Role||I want to...||Refer to...|
Start and Stop aggregation
Add, edit, delete, and toggle an aggregate service
|Aggregate Services Section|
Manage System Configuration
|System Configuration Section|
Related TopicsRelated Topics
General tabGeneral tab
This is an example of the General tab for a Concentrator.
This is an example of the General tab for a Broker.
These are the three major sections in the General tab for Brokers and Concentrators:
- Aggregate Services
- System Configuration
- Aggregation Configuration
Aggregate Services SectionAggregate Services Section
The Aggregate Services section provides a way to start and stop aggregation, as well as add, edit, delete, and toggle an aggregate service. This is an example of the Aggregate Services section for a Concentrator.
The Aggregate Services section toolbar offers these options.
|Opens a dialog in which you can add a Concentrator, Decoder, or Log Decoder as an aggregate service.|
|Removes the selected aggregate service.|
|For Concentrators only, opens a dialog to edit Meta Fields and Filter values for the Concentrator.|
|Enables you to enter the administrator credentials of the selected aggregate service so that it can communicate with the Broker or Concentrator.|
|When aggregation has been stopped or has not started, starts aggregating data from the online service in the list using the rules defined for the service.|
|When aggregation is in progress, stops aggregation on the Broker or Concentrator. This stops all services and flushes the index, which may take several minutes to complete. It is necessary to stop aggregate services in order to perform various administrative procedures.|
|Toggles the state of a service between offline and online. Only data from online service is consumed during aggregation.|
The Aggregate Services section list has these columns.
|Address||Lists the address of the service.|
|Port||Lists the port on which the service listens. The default ports are:
|Rate||Lists the number of metadata objects being written to the database per second. Values are rolling average samples over a short time period (10 seconds). After capture stops, the rate is reset to 0.|
|Max||Lists the maximum number of metadata objects written to the database per second since capture started. Values are rolling average samples over a short time period (10 seconds). After capture stops, Max continues to show the maximum value during capture.|
|Behind||Lists the number of sessions on the service that need to be aggregated.|
|Collection||For Brokers only, indicates the collection that was selected when the Analyst Workbench service was added to the Aggregate Services section.|
|Meta Fields||For Concentrators only, lists the types of metadata being consumed by the aggregate service.|
|Filter||For Concentrators only, a rule expression (as used in a ‘where’ clause) can be used to filter the results. You must add a meta key along with an operator and a value, for example ip.src !=127.0.0.1 && word exists|
|Meta Include||For Concentrators only, lists the number of types of meta included in the aggregate service.|
|Grouped||Whether or not the aggregate service is part of a group.|
|Status||Lists the current status of the service:
System Configuration SectionSystem Configuration Section
The System Configuration section manages service configuration for a service. When a service is first added, default values are in effect. You can edit these values to tune performance.
The System Configuration section has these parameters.
|Compression||The minimum number of bytes that must be transmitted per response before compression. A setting of 0 disables compression. The default value is 0.
A change in value is effective immediately for all subsequent connections.
|Port||The port on which the service listens. The default ports are:
|SSL FIPS Mode||When enabled (on), the security of data transmission is managed by encrypting information and providing authentication with SSL certificates. The default value is off.|
|SSL Port||Indicates the SSL port.|
|Stat Update Interval||The number of milliseconds between statistic updates on the system. Lower numbers cause more frequent updates and can slow down other processes. The default value is 1000.
A change in value is effective immediately.
|Threads||The number of threads in the thread pool to handle incoming requests. A setting of 0 lets the system decide. The default value is 15.
A change takes effect on service restart.
Aggregation Configuration SectionAggregation Configuration Section
The Aggregation Configuration section provides configuration settings that affect various aspects of the aggregation process. When you click Apply, the changes are saved; however, not all settings take effect immediately. The tables for Aggregation Settings and Service Heartbeat provide details.
Caution: Do not change any of these settings unless guided by the Developers or the Customer Support team. Contact the Customer Support for any questions before editing any of these settings.
The following table describes the aggregation settings
|Aggregate Autostart||Option to start aggregation automatically each time the Broker or Concentrator is started. Checked means yes, unchecked means no. This change takes effect immediately.|
|Aggregate Hours||The number of hours back for each service that the Concentrator or Broker attempts to recover at the beginning of aggregation. This change takes effect immediately.
|Aggregate Interval||The number of milliseconds between rounds of service aggregation. All services managed by the Broker or Concentrator request additional rounds of session and metadata to be aggregated. If a Broker or Concentrator is still consuming the previous round of data, it cannot request more until it finishes. Change takes effect immediately.|
|Aggregate Max Sessions||The maximum number of sessions that the Broker or Concentrator requests in a given round of data aggregation. Change takes effect after restart.|
Service HeartbeatService Heartbeat
In communicating with each aggregate service, Brokers and Concentrators monitor the heartbeat of the service. These parameters specify the timing of the first attempt to reconnect to a service after an error, the next attempt to reconnect, and taking the service offline after failure to reconnect.
|Heartbeat Error Restart||After a heartbeat error is detected on an aggregate service, specifies the number of seconds for a Broker or Concentrator to wait before attempting a service reconnect.|
|Heartbeat Next Attempt||After a failed attempt to reconnect to an aggregate service, specifies the number of seconds for a Broker or Concentrator to wait before attempting another service reconnect. Change takes effect immediately.|
|Heartbeat No Response||After failing to reconnect to an unresponsive service, specifies the number of seconds for the Broker or Concentrator to wait before taking the unresponsive service offline. Change takes effect immediately.|
When editing parameters in the General tab, you must click Apply to save changes.