rryCorrelation-server Configuration

AlertProperties

Name Default value Type Description

rsa.correlation.alert.keep-alive-time

0

long

The keepAlive time for threads

rsa.correlation.alert.max-alerts-queue-size

10000

integer

The max rabbitmq alerter queue size

rsa.correlation.alert.num-threads

3

integer

No. of threads to process

rsa.correlation.alert.respond-enabled

true

boolean

The respond is enabled globally

rsa.correlation.alert.respond-endpoint-severities

list

The list of severities which can be consumed by respond and are related to app-rules

rsa.correlation.alert.retry-delay

1

seconds

retry time for each interval

rsa.correlation.alert.risk-score-severities

list

The list in severities which can be consumed by risk score and are related to app-rules

rsa.correlation.alert.sleep-time

1000

long

The max time to sleep in thread

rsa.correlation.alert.statement-name-max-length

128

integer

The maximum length of the entire statement @Name

rsa.correlation.alert.statement-name-place-holder-max-length

64

integer

The maximum length for each place holder value in the statement @Name

rsa.correlation.alert.timeout-retry-policy

3650

seconds

Retry time in seconds for total timeout

rsa.correlation.alert.total-threads

10

integer

The total number of threads in the pool

rsa.correlation.alert.transient-enabled

true

boolean

The transient is enabled globally. Currently used only for key-value rule and not in basic rule

ContextHubProperties

Name Default value Type Description

rsa.correlation.contexthub.data-expired-in-seconds

5

integer

The duration of time before the ContextHub content is too old and need to be re-retrieved.

rsa.correlation.contexthub.fail-on-retrieve-retry-count

3

integer

Number of times to retry when failed to retrieve data from ContextHub.

rsa.correlation.contexthub.fail-on-retrieve-wait-between-retries

5

seconds

Wait duration between retries when failed to retrieve data from ContextHub.

rsa.correlation.contexthub.fail-on-set-entries-wait-between-retries

5

seconds

Wait duration between retries when failed to add/delete entries to/from ContextHub.

rsa.correlation.contexthub.file-backed-dir

string

Location on local disk where to store the paged files.

rsa.correlation.contexthub.mapped-memory-size

0

integer

Total number of bytes of data that are kept in memory.

rsa.correlation.contexthub.notification-handler-thread-pool-size

8

integer

Number of concurrent notification handler threads.

rsa.correlation.contexthub.page-file-size

4096

integer

The size of each paged file stored on local disk.

rsa.correlation.contexthub.set-entries-thread-pool-size

128

integer

Number of RSAContext set entries concurrent Threads pool size.

DataPrivacyProperties

Name Default value Type Description

rsa.correlation.data-privacy.global-private-fields

list

List of fields that are always removed from the output for data privacy, regardless of source

DebugProperties

Name Default value Type Description

rsa.correlation.debug.actions

string

rsa.correlation.debug.enabled

false

boolean

rsa.correlation.debug.resource-ids

string

EndpointProperties

Name Default value Type Description

rsa.correlation.endpoint.app-rules-paths

list

{@link List} of Endpoint App Rules candidate paths of the resource file.

rsa.correlation.endpoint.enabled

true

boolean

{@code true} if Endpoint Rules processing is enabled.

EngineProperties

Name Default value Type Description

rsa.correlation.engine.auto-start

true

boolean

Determines if all {@link Engine} should start on service deployed.

rsa.correlation.engine.concurrent-deployment

10

integer

Number of asynchronous Engine deployment Tasks.

rsa.correlation.engine.send-event-heart-beat-frequency

1

seconds

Log send Event heartbeat frequency.

rsa.correlation.engine.startup-error-retry-interval

10

seconds

Retry interval if error occurs during startup.

EsperProperties

Name Default value Type Description

rsa.correlation.esper.background-metrics-enabled

true

boolean

Set to {@code false} to get Esper metrics on demand.

rsa.correlation.esper.background-metrics-frequency

5

seconds

How often should the background Esper metrics process should be performed.

rsa.correlation.esper.config-resource

classpath:esper/
esper-config.xml

string

Esper Configuration xml Resource.

rsa.correlation.esper.enable-statement-metric

false

boolean

Set true if esper Metrics needs to be enabled. By default it is set to false by Esper. Making it true will allow to capture additional esper-metrics but note that activating Esper metrics may cause performance impacts

rsa.correlation.esper.metrics-memory-back-off

1

seconds

How long to back off for after reaching a metrics timeout error.

rsa.correlation.esper.metrics-num-threads

16

integer

The number of threads to use for calculating metrics, per engine. Each thread gets metrics for a single rule.

rsa.correlation.esper.metrics-timeout

15

seconds

How long we should allow for retrieval of metrics for a single rule. Counting memory for rules that are using a lot of memory takes a lot of time and cpu that blocks processing of new events. <p> In the case of a timeout, we will capture the error for reporting purposes.

rsa.correlation.esper.snapshot-dir

string

RSAPersist snapshot directory.

rsa.correlation.esper.snapshot-frequency

5

seconds

Taking snapshot periodic duration.

rsa.correlation.esper.use-external-clock

true

boolean

{@code true} for Esper to process CurrentTimeEvent.

FileMapProperties

Name Default value Type Description

rsa.correlation.filemap.file-backed-dir

string

Location on local disk where to store the paged files.

rsa.correlation.filemap.page-file-size

4096

integer

The size of each paged file stored on local disk.

rsa.correlation.filemap.total-memory-size

0

integer

Total number of bytes of data that are kept in memory.

GeoIpProperties

Name Default value Type Description

rsa.correlation.geoip.city-resource

string

The City database Resource.

rsa.correlation.geoip.local-dir

string

Local store folder where to store the database files.

rsa.correlation.geoip.org-resource

string

The Organization database Resource.

HealthProperties

Name Default value Type Description

rsa.correlation.health.check-every

15

seconds

The

rsa.correlation.health.fatal-percentage

90

integer

The percentage of memory consumption at which it is considered to be in fatal state

rsa.correlation.health.health-check-id

memory-check

string

The name which is required to set the HealthCheck

rsa.correlation.health.warning-percentage

80

integer

The percentage of memory consumption at which it is considered to be Warning in Warning state

MetricProperties

Name Default value Type Description

rsa.correlation.metric.collectd-max-value-length

64

integer

CollectD field value maximum length.

ServiceProperties

Name Default value Type Description

rsa.correlation.re-deployment-cycle

0

integer

The current re-deployment cycle.

rsa.correlation.re-deployment-required

0

integer

The number of re-deployment required.

rsa.correlation.send-re-deployment-notification

true

boolean

{@code true} to notify SA to re-deploy all active {@code Engine}s.

rsa.correlation.version

string

Project version.

rsa.correlation.wait-before-checking-for-success-re-deployment

1

seconds

Wait duration before checking to see if SA response re-deployment is successful.

RuleProperties

Name Default value Type Description

rsa.correlation.rule.fired-rules-heart-beat

integer

Number of permits for a duration.

rsa.correlation.rule.fired-rules-heart-beat-every

1

seconds

A length of time to apply the permits. Minimum of 1 second and max at 1 day.

rsa.correlation.rule.log-fired-rules

false

boolean

Should we log the rules as soon as it fired with the relevant events.

rsa.correlation.rule.max-constituent-events

0

integer

Maximum number of Events in the List sent to AlertManager.

StatsProperties

Name Default value Type Description

rsa.correlation.stats.days-to-keep-stats-file

3

integer

StreamProperties

Name Default value Type Description

rsa.correlation.stream.aggregation-queue-size

10

integer

Size of the queue that holds aggregation Events staging them before sending them to Rule Engine.

rsa.correlation.stream.batch-size

0

integer

Controls how many records do we ask for at a time.

rsa.correlation.stream.big-integer-to-long

true

boolean

Choose if we want to convert {@code BigInteger} {@code Meta} value to {@code Long} like sessionid.

rsa.correlation.stream.buffer-size

0

integer

Controls the number of records the stream can keep outstanding.

rsa.correlation.stream.check-supply

false

boolean

Should this source check for supply

rsa.correlation.stream.collection-duration-in-minutes

0

integer

For query based aggregation this parameter determines if it should operate on continuous mode or finite mode. By Default it is 0 which means continuous mode. CollectionDuration should be specified in minutes.

rsa.correlation.stream.compression

0

integer

The number of bytes in each message before it will be compressed. Zero is no compression at all. range:0 to 131071

rsa.correlation.stream.compression-level

0

integer

The level of compression. 1 is fastest and 9 is the best compression. A value of zero means pick the best balance between speed and compression. range:0 to 9

rsa.correlation.stream.connection-time-out

0

integer

Override connection timeout in sources. Only if greater than 0.

rsa.correlation.stream.default-multi-valued

list

New multi-valued fields for this version. These fields should all be migrated to multi-valued with Rule changes. A warning message will be logged if multi-valued does NOT contain all of these fields.

rsa.correlation.stream.default-single-valued

list

New single-valued fields for this version. These fields should all be migrated to single-valued with Rule changes. A warning message will be logged if single-valued does NOT contain all of these fields.

rsa.correlation.stream.dots-to-underscores

true

boolean

Choose if we want to translate "user.dst" to "user_dst".

rsa.correlation.stream.event-batch-size

1000

integer

Number of Events in a batch store in the queue.

rsa.correlation.stream.event-enrichment-queue-size

10

integer

Size of the queue to be used to enrich the {@code Event} before offer to {@code Rule} {@code Engine}.

rsa.correlation.stream.event-enrichment-thread-pool-size

8

integer

Concurrent Event enrichment Thread pool size.

rsa.correlation.stream.event-polling-timeout-in-milli-seconds

1000

long

Event polling from queue timeout in milliseconds.

rsa.correlation.stream.event-source-id

false

boolean

Controls whether we need to add the event source identifier (ESA compatibility)

rsa.correlation.stream.filter

string

Filter to be sent across to the source

rsa.correlation.stream.idle-retry-interval

0

integer

Controls how long to wait (in milli-seconds) before retrying an idle source.

rsa.correlation.stream.lag-time

15

seconds

Lag time is the expected time an event takes to pass through the different levels of capture/parse etc and become available to query in the concentrator.

rsa.correlation.stream.lowercase

list

Choose if the fields to translate to lower case

rsa.correlation.stream.max-sessions

0

integer

Controls the number of sessions in a batch. The more you filter out ESA data source traffic, the lower you should set this value.

rsa.correlation.stream.mechanism

string

NextGen core devices send and receive type 'AGGREGATION' or 'QUERY'.

rsa.correlation.stream.minutes-back

5

integer

Controls how far back in time should we go for a fresh start.

rsa.correlation.stream.multi-valued

list

Choose the fields considered as multi-valued.

rsa.correlation.stream.multi-valued-as-array

false

boolean

{@code true} to convert multi-valued Collection to Array.

rsa.correlation.stream.no-system-meta

false

boolean

Controls the addition of system meta to records.

rsa.correlation.stream.pre-fetch

0

integer

Controls how many batches to pull and keep ready in anticipation of demand

rsa.correlation.stream.query

string

Query Based RecordStream select clause for all sources.

rsa.correlation.stream.reader-buffer-size

1048576

integer

rsa.correlation.stream.retrieve-record-stream-stats-every

2

seconds

How often should the {@code RecordStream} status be retrieved.

rsa.correlation.stream.retrieve-schema-every

5

seconds

A length of time to apply the permits. Minimum of 1 second and max at 1 day.

rsa.correlation.stream.retrieve-schema-frequency

1

integer

Number of permits for a duration.

rsa.correlation.stream.retry-timeout

0

integer

Controls how long to wait (in milli-seconds) before retrying a failed source.

rsa.correlation.stream.save-position-every

1

seconds

A length of time to apply the permits. Minimum of 1 second and max at 1 day.

rsa.correlation.stream.save-position-frequency

1

integer

Number of permits for a duration.

rsa.correlation.stream.single-valued

list

Uses by Rules deployment process to ensure that these fields are not be treated as multi-valued.

rsa.correlation.stream.socket-timeout

0

integer

Override socket timeout in sources. Only if greater than 0.

rsa.correlation.stream.source-poll-interval

0

integer

Controls the parameters passed to {@code RecordSourceSubscription}.

rsa.correlation.stream.start-session-id

0

long

Override StartSession Id in sources for debug purposes. Only if greater than 0.

rsa.correlation.stream.tcp-no-delay

false

boolean

rsa.correlation.stream.thread-pool-size

0

integer

Controls the size of the thread pool used the stream executor. Default to 100.

rsa.correlation.stream.time-batch-in-seconds

0

integer

Determines the batch size for the query based aggregation in seconds. By default it will be a 60 second window. This for now will not be configurable for user. This is because concentrator operates most efficiently when the time window is a minute.

rsa.correlation.stream.time-measured-in-seconds

true

boolean

{@code true} if time meta is measured in seconds in the event.

rsa.correlation.stream.time-meta-field

time

string

Decides what field should be used for time.

rsa.correlation.stream.time-order-by-field

string

Controls the name of the field that we consider the timestamp. This must be a long value.

rsa.correlation.stream.time-order-hold-interval

0

integer

To order records from multiple sources, we need to allow some "hold" time for sessions within a time window to arrive from all sources. This parameter specifies the hold interval (in milli-seconds)

rsa.correlation.stream.time-order-no-inflow-give-up-interval

0

integer

Controls the interval (in milliseconds) after which we take a "quiet" source out of the equation to allow progress on a time ordered stream. The default value is 0, which implies that we wait forever for events to arrive.

rsa.correlation.stream.time-order-offline-give-up-interval

0

integer

Controls the interval (in milli-seconds) after which we take an offline source out of the equation to allow progress on a time ordered stream. The default value is 0, which implies that we wait forever. This parameter does not affect the re-connection retries; those which are performed in all cases.

rsa.correlation.stream.time-ordered

false

boolean

Enables source time synchronization and ordering.

rsa.correlation.stream.use-direct-buffer

false

boolean

rsa.correlation.stream.use-event-time-for-esper

false

boolean

{@code true} to use the timeMetaField in the Event for Esper CurrentTimeEvent.

MigrationProperties

Name Default value Type Description

rsa.migration.home-data-path

/var/netwitness/esa

string

The location of ESA home directory

RecordStreamMetrics

Name Default value Type Description

rsa.records.stream.version

string