This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Security Analytics Core Database Tuning Guide

RSAAdmin
Beginner
Beginner

‎2014-07-19 03:43 PM

I have attached a recently created guide for tuning the SA Core 10.3 databases ([Log/Packet] Decoder, Concentrator, Archiver).  This guide will eventually be part of the online documentation (Home - RSA Security Analytics Documentation).

 

If you have any questions or find errors in the documentation, please let me know.

 

Thanks,

Scott

Preview file
136 KB
17 REPLIES 17

Anonymous
Not applicable
In response to RSAAdmin

‎2014-11-17 11:01 AM

Thanks Scott!

 

Very nice guide.

 

The link you posted to the 10.4 Database guide is sort of messed up.

I want to download the entire guide, not have to page through 2 page chunks to get

to what I need.

 

Don

0 Likes

RSAAdmin
Beginner
Beginner
In response to Anonymous

‎2014-11-18 10:24 AM

You can download a PDF of the whole guide by going to the root page and pressing the PDF icon in the right column.

 

Right above the words "Support and Service".

0 Likes

RSAAdmin
Beginner
Beginner

‎2015-05-07 04:20 PM

Hi,

 

I have a test environment with a Log Decoder, Concentrator and SA Server, and recently I configured an Archiver and I would like to test it.

 

As my test environment does not have much traffic, is there any way to force Log Decoder forward the logs to Archiver before it reaches his threshold??

 

Regards.

0 Likes

RSAAdmin
Beginner
Beginner
In response to RSAAdmin

‎2015-05-07 04:24 PM

The only way to get logs into Archiver is by aggregation.  You need to add the LD to the Archiver as an aggregation device and then start aggregation. 

0 Likes

RSAAdmin
Beginner
Beginner
In response to RSAAdmin

‎2015-05-07 04:32 PM

Thanks for your attention Scott.

 

After starting the aggregation, all logs that arrive in Log Decoder are forwarded to Archiver? Or these logs are forwarded after Log Decoder reaches his threshold?

 

Regards.

0 Likes

RSAAdmin
Beginner
Beginner
In response to RSAAdmin

‎2015-05-07 04:38 PM

Yes, unless you add an aggregation filter.  I'm not sure what you mean by "Log Decoder reaches his threshold"?  What threshold?

 

By default, Archivers are configured to perform "nice" aggregation, which is meant to alleviate stress on the Log Decoder, especially if multiple devices are aggregating from it.  What this means is it will fall behind a bit to alleviate write contention on the LD.

 

If your Log Decoder is well under 30K EPS, then you can get logs in near real time by turning nice off (/archiver/config/aggregate.nice=false).

 

Does that answer your question or am I missing something?

0 Likes

RSAAdmin
Beginner
Beginner
In response to RSAAdmin

‎2015-05-07 04:49 PM

So, added the Log Decoder to Aggregation in Archiver and it shows as online, but I dont see any Logs when I choose Archiver in Investigation Tab.

 

I can see the Logs just when I choose Log Decoder in Investigation Tab.

 

I appreciate your attention.

 

Regards.

0 Likes

RSAAdmin
Beginner
Beginner
In response to RSAAdmin

‎2015-05-07 05:46 PM

Did you start aggregation on the Archiver?  Try monitoring the /database/stats on the archiver and make sure the packet.total stat is increasing.  If it's not, but the session stat is increasing, that means it is aggregating, but the current session on the LD does not have a log.  In other words, the logs are in rollover on the LD.

 

Once Archiver catches up to the sessions that have logs, everything should start working.

 

If this isn't the problem and it is aggregating, then you will need to look at the logs on the Archiver to determine what the problem is.  Open a support ticket in that case.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.