Endpoint-server ConfigurationEndpoint-server Configuration
CertificateStatusPropertiesCertificateStatusProperties
Name | Default value | Type | Description |
---|---|---|---|
rsa.endpoint.certificate.status.ignored-notifications-retry-interval |
60 |
seconds |
Notifications are ignored once posting file status fails. These ignored notifications are queried periodically. The property defines the interval. |
rsa.endpoint.certificate.status.new-files-query-for-automatic-status-interval |
300 |
seconds |
Time (in seconds) between subsequent querying of new files for automatic assignment of file status to be send to Contexthub server |
rsa.endpoint.certificate.status.query-batch-size |
3000 |
integer |
* Max number of thumbprints those should be fetched from repository in a single query |
rsa.endpoint.certificate.status.request-batch-size |
500 |
integer |
* Max number of thumbprints those should be part of the request sent to Contexthub-Server |
rsa.endpoint.certificate.status.request-interval |
300 |
seconds |
Time (in seconds) between querying for any new Certificates seen in endpoint server Defaulting to 5 minutes |
AgentCommandPropertiesAgentCommandProperties
Name | Default value | Type | Description |
---|---|---|---|
rsa.endpoint.command.cache-reload-delay |
5 |
seconds |
Interval delay to reload pending commands cache |
rsa.endpoint.command.cancel-interval |
24 |
seconds |
Interval to cancel expired commands |
rsa.endpoint.command.expiration-count |
5 |
integer |
Indicates the maximum number of times command would be resent to agent(s) |
rsa.endpoint.command.expiration-time |
20 |
seconds |
Indicates the duration until when command will not be resent to agent(s) |
DataRetentionPropertiesDataRetentionProperties
Name | Default value | Type | Description |
---|---|---|---|
rsa.endpoint.config.data-retention.enabled |
true |
boolean |
Indicates if all machine data older than configured threshold {@code #thresholdInDays}, is to be deleted. This is enabled by default. |
rsa.endpoint.config.data-retention.initial-rollover-delay |
1 |
seconds |
Time to delay before the first execution of the storage size based retention job |
rsa.endpoint.config.data-retention.recurrence-interval |
0 0 0 * * * |
string |
Indicates the time and frequency to run the deletion task. Configured to run everyday at 12:00:00 AM, by default. |
rsa.endpoint.config.data-retention.rollover-after |
80 |
double |
The threshold (in %) indicating the storage size used, after which data should be cleaned up from the database |
rsa.endpoint.config.data-retention.rollover-chunk-size |
10 |
double |
The chuck of data that should be cleanup up from the database. For example, 10 indicates 10% of the data should be cleaned up. Used for storage size based data retention job. |
rsa.endpoint.config.data-retention.rollover-delay |
10 |
seconds |
Delay between invocations of the storage size based retention job |
rsa.endpoint.config.data-retention.size-based-rollover-enabled |
true |
boolean |
Indicates if storage size based retention job is enabled. This involves clearing up the disk, if it reaches a certain threshold {@see #rolloverAfter}. This is enabled by default. |
rsa.endpoint.config.data-retention.threshold-in-days |
30 |
integer |
The retention threshold specified (in days) |
DownloadedDataRetentionPropertiesDownloadedDataRetentionProperties
Name | Default value | Type | Description |
---|---|---|---|
rsa.endpoint.config.downloaded-data-retention.enabled |
true |
boolean |
Indicates retention active status. This is enabled by default. |
rsa.endpoint.config.downloaded-data-retention.recurrence-interval |
0 0 0 * * * |
string |
Indicates the time and frequency to run the deletion task. Configured to run everyday at 00:00:00 AM, by default. |
rsa.endpoint.config.downloaded-data-retention.threshold-in-days |
90 |
integer |
The retention threshold specified (in days) |
InactiveMachineRetentionPropertiesInactiveMachineRetentionProperties
Name | Default value | Type | Description |
---|---|---|---|
rsa.endpoint.config.inactive-machine-retention.enabled |
true |
boolean |
Indicates if all machines inactive for more than the configured threshold {@code #thresholdInDays}, is to be deleted. This is enabled by default. |
rsa.endpoint.config.inactive-machine-retention.recurrence-interval |
0 0 1 * * * |
string |
Indicates the time and frequency to run the deletion task. Configured to run everyday at 01:00:00 AM, by default. |
rsa.endpoint.config.inactive-machine-retention.threshold-in-days |
90 |
integer |
The retention threshold specified (in days) |
DataStoreHealthPropertiesDataStoreHealthProperties
Name | Default value | Type | Description |
---|---|---|---|
rsa.endpoint.data-store-thresholds.fatal-percent |
95 |
integer |
|
rsa.endpoint.data-store-thresholds.warning-percent |
85 |
integer |
DataStorePropertiesDataStoreProperties
Name | Default value | Type | Description |
---|---|---|---|
rsa.endpoint.data.application.compression-factor |
2.5 |
double |
Indicates the compression ratio used by mongo while writing to the filesystem |
rsa.endpoint.data.application.db-path |
string |
Specify the path/directory allocated for the database files. Assumed to be /var/netwitness/mongo by default |
RepositoryPropertiesRepositoryProperties
Name | Default value | Type | Description |
---|---|---|---|
rsa.endpoint.datastore.index-creation-enabled |
true |
boolean |
Determines whether the indexes should be be created on the service startup |
FileDownloadPropertiesFileDownloadProperties
Name | Default value | Type | Description |
---|---|---|---|
rsa.endpoint.download.agent-beacon-threshold |
5 |
seconds |
Indicates the agent beacon time considered to (re)attempt file download |
rsa.endpoint.download.base-path |
string |
Path in endpoint server where downloaded files are stored. Assumed to be /var/netwitness/endpoint-server by default |
|
rsa.endpoint.download.batch-size |
1000 |
integer |
Number of entries to fetch & process from {@link CollectionConstants#GLOBAL_FILE_DOWNLOAD_REQUEST_COLLECTION} collection |
rsa.endpoint.download.command-expiration-time |
20 |
seconds |
Indicates the expiration time for automatic file download commands, after which command would be cancelled |
rsa.endpoint.download.disk-check-interval |
5 |
seconds |
Indicates the interval to check the health of disk to which files will be downloaded |
rsa.endpoint.download.download-threads |
10 |
integer |
Max number of auto file download handler threads |
rsa.endpoint.download.downloaded-files-cache-size |
2000000 |
integer |
Max number of entries to store as part of downloaded files cache |
rsa.endpoint.download.file-processor-batch-size |
100 |
integer |
Maximum number of concurrent processing requests that should be handled by server |
rsa.endpoint.download.max-attempts |
50 |
integer |
Maximum number of agents that will be tried against in order to get the file downloaded to server, following which the next server takes over (if any) |
rsa.endpoint.download.max-pending-commands |
50 |
integer |
Defines the maximum cap of unprocessed file download commands that can exist for a given agent, i.e. although {@link AgentCommandRequestType#Manual} commands can still be created, it is used to restrict addition of {@link AgentCommandRequestType#Automatic} file download commands |
rsa.endpoint.download.periodic-cleanup-delay |
2 |
seconds |
Interval between successive lookups and attempts made by the server to delete pending requests which are no longer required |
rsa.endpoint.download.periodic-hash-cleanup-delay |
1 |
seconds |
Interval between successive lookups and attempts made by the server to delete requests for files identified to be downloaded |
rsa.endpoint.download.periodic-marking-delay |
5 |
seconds |
Interval between marking requests to be considered for processing by server(s) |
rsa.endpoint.download.periodic-processing-delay |
1 |
seconds |
Interval between successive lookups and attempts made by server to process pending file download requests, i.e. to create/issue file download commands |
rsa.endpoint.download.periodic-retry-processing-delay |
5 |
seconds |
Interval between successive lookups and attempts made by server to retry processing of older pending file download requests |
rsa.endpoint.download.request-cache-size |
2000000 |
integer |
Max number of entries to store as part of downloaded files request cache |
rsa.endpoint.download.threads |
2 |
integer |
Max number of request handler threads |
rsa.endpoint.download.update-interval |
5 |
seconds |
Interval in which downloaded status of newly added files is updated |
ExecutionRetryPropertiesExecutionRetryProperties
Name | Default value | Type | Description |
---|---|---|---|
rsa.endpoint.execution.retry.file-persistence-delay |
50 |
seconds |
Indicates the wait time for retrying file data persistence |
rsa.endpoint.execution.retry.max-delay |
2 |
seconds |
Indicates the maximum delay to be used between retries |
rsa.endpoint.execution.retry.min-delay |
30 |
seconds |
Indicates the minimum delay to be used between retries |
ExportPropertiesExportProperties
Name | Default value | Type | Description |
---|---|---|---|
rsa.endpoint.export.directory-context |
ExportDirectory |
string |
Represents the directory context (reference name) for the files to be exported |
rsa.endpoint.export.file-cleanup-interval |
1800 |
seconds |
Schedule interval for cleanup of files/directories |
rsa.endpoint.export.file-expiration-time |
3600 |
seconds |
Expiration time for the file(s) created |
rsa.endpoint.export.max-exportable-entries |
100000 |
integer |
Maximum entries that can be exported into csv from the database, for files |
rsa.endpoint.export.path-prefix |
temp/export |
string |
Represents the path prefix for files to be exported |
FileDownloadDiskHealthPropertiesFileDownloadDiskHealthProperties
Name | Default value | Type | Description |
---|---|---|---|
rsa.endpoint.file-download-disk-thresholds.fatal-percent |
70 |
integer |
|
rsa.endpoint.file-download-disk-thresholds.warning-percent |
60 |
integer |
FileCachePropertiesFileCacheProperties
Name | Default value | Type | Description |
---|---|---|---|
rsa.endpoint.file.cache.expiration-time |
1800 |
seconds |
Expiration threshold, since last access of item(s) |
rsa.endpoint.file.cache.size |
100000 |
long |
Maximum items in the cache |
FileReputationStatusPropertiesFileReputationStatusProperties
Name | Default value | Type | Description |
---|---|---|---|
rsa.endpoint.file.reputation.ignored-notifications-query-interval |
300 |
seconds |
Time (in seconds) between subsequent check for ignored notifications querying |
rsa.endpoint.file.reputation.known-signed-providers |
microsoft,apple |
string |
List of signature providers for which we don’t need to compute the reputation. This is only accounted when filterOutKnowFiles = true/ |
rsa.endpoint.file.reputation.query-batch-size |
2000 |
integer |
* Max number of hashes those should be fetched from repository in a single query |
rsa.endpoint.file.reputation.request-batch-size |
500 |
integer |
* Max number of hashes those should be part of the request sent to Contexthub-Server |
rsa.endpoint.file.reputation.request-interval |
10 |
seconds |
Time (in seconds) between subsequent requests to be send to Reputation-Server |
rsa.endpoint.file.reputation.skip-known-good-files |
true |
boolean |
Should reputation be computed for files from know sources ? This can be files that are signed by known CA’s or maybe what the customer might have configured to be white-listed files |
RiskScorePropertiesRiskScoreProperties
Name | Default value | Type | Description |
---|---|---|---|
rsa.endpoint.file.score.query-batch-size |
2000 |
integer |
Max number of file/machines to be fetched from repository in a single query |
rsa.endpoint.file.score.request-interval |
20 |
seconds |
Time (in seconds) between subsequent requests to be sent |
FileContextPropertiesFileContextProperties
Name | Default value | Type | Description |
---|---|---|---|
rsa.endpoint.file.search.timeout |
30 |
seconds |
File context keyword search operation time out in seconds |
rsa.endpoint.file.search.total-count |
100 |
integer |
Max number of results that will be returned for a/any snapshot response |
FileStatusPropertiesFileStatusProperties
Name | Default value | Type | Description |
---|---|---|---|
rsa.endpoint.file.status.ignored-notifications-query-interval |
300 |
seconds |
Time (in seconds) between subsequent check for ignored notifications querying |
rsa.endpoint.file.status.query-batch-size |
3000 |
integer |
* Max number of hashes those should be fetched from repository in a single query |
rsa.endpoint.file.status.request-batch-size |
500 |
integer |
* Max number of hashes those should be part of the request sent to Contexthub-Server |
rsa.endpoint.file.status.request-interval |
10 |
seconds |
Time (in seconds) between subsequent requests to be send to Reputation-Server |
GroupPolicyPropertiesGroupPolicyProperties
Name | Default value | Type | Description |
---|---|---|---|
rsa.endpoint.group-policy.bulk-write-count |
1000 |
integer |
Number of items to be written as part of a batch/bulk write operation performed, to assign/update group-policy to machines present in the deployment |
rsa.endpoint.group-policy.initial-sync-delay |
20 |
seconds |
Time to wait for the initial group-policy details to be synced |
rsa.endpoint.group-policy.periodic-evaluation-delay |
30 |
seconds |
Interval between successive evaluations performed (if required), to assign/update group-policy to machines present in the deployment |
MachineFilePropertiesMachineFileProperties
Name | Default value | Type | Description |
---|---|---|---|
rsa.endpoint.machine-file.delete-task-delay |
5 |
seconds |
Initial delay to clean-up {@link CollectionConstants#MACHINE_FILE_COLLECTION} collection for un-managed agents and decrement host count |
rsa.endpoint.machine-file.fetch-limit |
50 |
integer |
Number of documents to be fetched from {@link CollectionConstants#MACHINE_FILE_STAGE_COLLECTION} collection amd merge to the {@link CollectionConstants#MACHINE_FILE_COLLECTION} collection |
rsa.endpoint.machine-file.periodic-bookmark-update-time |
60 |
seconds |
Interval between successive merging of {@link CollectionConstants#MACHINE_FILE_STAGE_COLLECTION} collection to {@link CollectionConstants#MACHINE_FILE_COLLECTION} collection |
rsa.endpoint.machine-file.periodic-merge-delay |
30 |
seconds |
Interval between successive merging of {@link CollectionConstants#MACHINE_FILE_STAGE_COLLECTION} collection to {@link CollectionConstants#MACHINE_FILE_COLLECTION} collection |
rsa.endpoint.machine-file.refresh-time |
86400 |
seconds |
Time interval to refresh the files present in a machine. The min value is set to 8h and max value is 48h. |
rsa.endpoint.machine-file.refresh-time-delay |
900 |
seconds |
This is the time interval to check if agent files needs to be refreshed and create command for the agent if so. |
rsa.endpoint.machine-file.retry-count |
500 |
integer |
Indicates the number of times it must be retried |
rsa.endpoint.machine-file.retry-wait-time |
10 |
seconds |
Indicates the wait time for retrying to save machineFileHistory |
rsa.endpoint.machine-file.staged-machine-file-deletion-delay |
10 |
seconds |
Delay between cleaning up of machine file data from {@link CollectionConstants#MACHINE_FILE_STAGE_COLLECTION} collection |
rsa.endpoint.machine-file.threads |
20 |
integer |
Max number of merge machine file handler threads |
rsa.endpoint.machine-file.update-history-limit |
1000 |
integer |
Number of documents to be updated into {@link CollectionConstants#MACHINE_FILE_HISTORY_COLLECTION} collection |
MachineServicePropertiesMachineServiceProperties
Name | Default value | Type | Description |
---|---|---|---|
rsa.endpoint.machine.fetched-machines-limit |
100 |
integer |
The number of machine infos fetched for a given checksum. This is used to fetch the top 'n' risky machine-infos for a given file. |
rsa.endpoint.machine.search-query-timeout |
10 |
seconds |
Max timeout for machine detail to query to complete in milliseconds |
rsa.endpoint.machine.status-persistence-interval |
30 |
seconds |
Interval in seconds in which machine/agent status will be persisted to db. Since it is a costly operation higher value is preferred and more higher the value is more inaccuracy will be in status related db queries |
MachineFileScoreConfigurationPropertiesMachineFileScoreConfigurationProperties
Name | Default value | Type | Description |
---|---|---|---|
rsa.endpoint.machine.file.score.limit-of-checksums-in-batch |
500 |
integer |
|
rsa.endpoint.machine.file.score.min-delay-for-refresh-seconds |
120 |
seconds |
MetaForwardPropertiesMetaForwardProperties
Name | Default value | Type | Description |
---|---|---|---|
rsa.endpoint.meta.enabled |
false |
boolean |
Enable/Disable Meta integration |
rsa.endpoint.meta.ld-buffer-check-enabled |
true |
boolean |
Configuration option to disable the throttling on Log decoder buffer availability. |
rsa.endpoint.meta.ld-buffer-limit-percentage |
75 |
integer |
Pool.packet.capture / pool.packet.page percentage at which we need to throttle. |
rsa.endpoint.meta.logdecoder-host-id |
string |
The unique identifier of the host in which the Log decoder resides. |
|
rsa.endpoint.meta.logdecoder-port |
0 |
integer |
Log decoder Port to which metas are to be posted |
rsa.endpoint.meta.logdecoder-rest-password |
string |
Password to access the logdecoder rest port |
|
rsa.endpoint.meta.logdecoder-rest-port |
0 |
integer |
Log decoder REST Port to which metas are to be posted. This port number is used to query the available buffer before sending the meta. |
rsa.endpoint.meta.logdecoder-rest-username |
string |
Username to access the logdecoder rest port |
|
rsa.endpoint.meta.protobuf-ssl-enabled |
false |
boolean |
SSL or Non SSL communication |
rsa.endpoint.meta.rest-ssl-enabled |
false |
boolean |
REST SSL or Non REST SSL communication |
rsa.endpoint.meta.logdecoder-host |
string |
Log decoder Ip or hostname to which metas are to be posted @deprecated (since 6.0.0, To handle DHCP scenarios as well as manual IP change / load balancing scenarios, .use of ` logdecoderHost ` for LD communication is deprecated.The ` logdecoderHostId ` will be used instead of ` logdecoderHost ` for all log decoder communicationin future versions. |
PackagerPropertiesPackagerProperties
Name | Default value | Type | Description |
---|---|---|---|
rsa.endpoint.packager.agent-cert-name |
client.p12 |
string |
|
rsa.endpoint.packager.beacon-interval |
600 |
seconds |
|
rsa.endpoint.packager.packager-dir |
/usr/lib/netwitness/endpoint-agents |
string |
MachineDataHandlerPropertiesMachineDataHandlerProperties
Name | Default value | Type | Description |
---|---|---|---|
rsa.endpoint.queue.file-properties-drain-at-close |
false |
boolean |
Optionally drain the queued files data to disk when the service is shutdown normally |
rsa.endpoint.queue.file-size |
100 |
integer |
Max number of concurrent data requests that should be handled by server for processing file data |
rsa.endpoint.queue.file-threads |
20 |
integer |
Max number of file persistence threads |
rsa.endpoint.queue.size |
100 |
integer |
Max number of concurrent data requests that should be handled by server |
rsa.endpoint.queue.threads |
10 |
integer |
Max number of request handler threads |
QueueFileSystemPersistencePropertiesQueueFileSystemPersistenceProperties
Name | Default value | Type | Description |
---|---|---|---|
rsa.endpoint.queue.file.directory-context |
dataDirectory |
string |
Represents the directory context (reference name) for the files to be persisted from file queues |
rsa.endpoint.queue.file.path-prefix |
temp/queue/files |
string |
Represents the path prefix for files to be persisted from Files queues |
RelayCommunicationPropertiesRelayCommunicationProperties
Name | Default value | Type | Description |
---|---|---|---|
rsa.endpoint.relay.communication.connect-timeout |
30 |
seconds |
Common connect timeout for all connections. |
rsa.endpoint.relay.communication.initial-delay |
30 |
seconds |
Time to wait before attempting to connect to relay server |
rsa.endpoint.relay.communication.max-connections |
100 |
integer |
Maximum number of connections allowed to nchan from relay server |
rsa.endpoint.relay.communication.nchan-base-url |
string |
||
rsa.endpoint.relay.communication.publish-channel |
/agent/publish |
string |
|
rsa.endpoint.relay.communication.request-timeout |
30 |
seconds |
Common request timeout for all connections. |
rsa.endpoint.relay.communication.retry-interval |
10 |
seconds |
Delay between connection attempts |
rsa.endpoint.relay.communication.subscribe-channel |
/endpoint_server/subscribe |
string |
|
rsa.endpoint.relay.communication.subscribe-request-timeout |
5 |
seconds |
0s is infinite time. |
rsa.endpoint.relay.communication.thread-pool-size |
100 |
integer |
RelayInstallerPropertiesRelayInstallerProperties
Name | Default value | Type | Description |
---|---|---|---|
rsa.endpoint.relay.installer.cert-name |
relay-server-cert.p12 |
string |
Relay-server certificate file name |
rsa.endpoint.relay.installer.dependency-dir |
/var/netwitness/ |
string |
Directory where relay-server dependencies will be downloaded. Non root user must have read, write access. |
rsa.endpoint.relay.installer.download-on-restart |
true |
boolean |
Flag to decide whether to delete local copy of relay-server dependencies and download from configured yum repo on every endpoint server restart. It might take sometime for the downloading to complete, during which user will not be able to download relay-server installer. |
rsa.endpoint.relay.installer.init-delay |
20 |
seconds |
Delay for Background task which will download relay-server dependencies. |
RelayMetricsPropertiesRelayMetricsProperties
Name | Default value | Type | Description |
---|---|---|---|
rsa.endpoint.relay.metrics.periodic-evaluation-delay |
300 |
seconds |
Time interval to evaluate if any relay-server config was modified and update the metrics if required |
rsa.endpoint.relay.metrics.refresh-time |
300 |
seconds |
Time interval to refresh the metrics from relay-server server |
SslContextPropertiesSslContextProperties
Name | Default value | Type | Description |
---|---|---|---|
rsa.endpoint.ssl.ssl-session-cache-size |
0 |
integer |
Max number of sessions to be kept in ssl session cache |
rsa.endpoint.ssl.ssl-session-timeout |
0 |
seconds |
Max time an SSL session can be reused |
ThrottlingConfigurationPropertiesThrottlingConfigurationProperties
Name | Default value | Type | Description |
---|---|---|---|
rsa.endpoint.throttling.enabled |
true |
boolean |
|
rsa.endpoint.throttling.max |
70 |
integer |
UdpPropertiesUdpProperties
Name | Default value | Type | Description |
---|---|---|---|
rsa.transport.udp.enabled |
true |
boolean |
Boolean to indicate if server can consume Udp packet |
rsa.transport.udp.port |
0 |
integer |
UDP port |
rsa.transport.udp.size |
5000 |
integer |
Max number of concurrent data requests that should be handled by server |
rsa.transport.udp.threads |
20 |
integer |
Max number of request handler threads |