2014-07-19 03:43 PM
I have attached a recently created guide for tuning the SA Core 10.3 databases ([Log/Packet] Decoder, Concentrator, Archiver). This guide will eventually be part of the online documentation (Home - RSA Security Analytics Documentation).
If you have any questions or find errors in the documentation, please let me know.
Thanks,
Scott
2014-11-17 11:01 AM
Thanks Scott!
Very nice guide.
The link you posted to the 10.4 Database guide is sort of messed up.
I want to download the entire guide, not have to page through 2 page chunks to get
to what I need.
Don
2014-11-18 10:24 AM
You can download a PDF of the whole guide by going to the root page and pressing the PDF icon in the right column.
Right above the words "Support and Service".
2015-05-07 04:20 PM
Hi,
I have a test environment with a Log Decoder, Concentrator and SA Server, and recently I configured an Archiver and I would like to test it.
As my test environment does not have much traffic, is there any way to force Log Decoder forward the logs to Archiver before it reaches his threshold??
Regards.
2015-05-07 04:24 PM
The only way to get logs into Archiver is by aggregation. You need to add the LD to the Archiver as an aggregation device and then start aggregation.
2015-05-07 04:32 PM
Thanks for your attention Scott.
After starting the aggregation, all logs that arrive in Log Decoder are forwarded to Archiver? Or these logs are forwarded after Log Decoder reaches his threshold?
Regards.
2015-05-07 04:38 PM
Yes, unless you add an aggregation filter. I'm not sure what you mean by "Log Decoder reaches his threshold"? What threshold?
By default, Archivers are configured to perform "nice" aggregation, which is meant to alleviate stress on the Log Decoder, especially if multiple devices are aggregating from it. What this means is it will fall behind a bit to alleviate write contention on the LD.
If your Log Decoder is well under 30K EPS, then you can get logs in near real time by turning nice off (/archiver/config/aggregate.nice=false).
Does that answer your question or am I missing something?
2015-05-07 04:49 PM
So, added the Log Decoder to Aggregation in Archiver and it shows as online, but I dont see any Logs when I choose Archiver in Investigation Tab.
I can see the Logs just when I choose Log Decoder in Investigation Tab.
I appreciate your attention.
Regards.
2015-05-07 05:46 PM
Did you start aggregation on the Archiver? Try monitoring the /database/stats on the archiver and make sure the packet.total stat is increasing. If it's not, but the session stat is increasing, that means it is aggregating, but the current session on the LD does not have a log. In other words, the logs are in rollover on the LD.
Once Archiver catches up to the sessions that have logs, everything should start working.
If this isn't the problem and it is aggregating, then you will need to look at the logs on the Archiver to determine what the problem is. Open a support ticket in that case.