Services Config View - Broker or Concentrator General Tab

The General tab for a Broker or Concentrator in the Services Config helps manage basic service configuration, configure the aggregate service, and configure the aggregation process between a Broker or Concentrator and the aggregate service.

Configuring the aggregate service (whose data is consumed and aggregated) includes:

  • Adding, editing, and deleting Concentrators and Brokers as aggregate services
  • Toggling an aggregate service online and offline
  • Monitoring statistics for aggregate services
  • Starting and stopping aggregation

Configuring the aggregation process includes setting:

  • Aggregation autostart
  • Timing and performance parameters, such as the number of sessions per round of aggregation and time between rounds
  • The timing of attempts to restart, reconnect, or take offline a non-responsive aggregate service

What do you want to do?

Role I want to... Refer to...
Administrator

Start and Stop aggregation

Add, edit, delete, and toggle an aggregate service

 Aggregate Services Section

Administrator

Manage System Configuration

 System Configuration Section

Related Topics

General tab

This is an example of the General tab for a Concentrator.

netwitness_121_serviceconfigview1_generaltabconcentrator113_1122.png

This is an example of the General tab for a Broker.

netwitness_121_serviceconfigview1_generaltabbrokr113_1122.png

These are the three major sections in the General tab for Brokers and Concentrators:

  • Aggregate Services
  • System Configuration
  • Aggregation Configuration

Aggregate Services Section

The Aggregate Services section provides a way to start and stop aggregation, as well as add, edit, delete, and toggle an aggregate service. This is an example of the Aggregate Services section for a Concentrator.

netwitness_servicesconfigview1_aggregateconcentrator.png

The Aggregate Services section toolbar offers these options.

Option Description
netwitness_add.png Opens a dialog in which you can add a Concentrator, Decoder, or Log Decoder as an aggregate service.
netwitness_ic-delete.png Removes the selected aggregate service.
netwitness_ic-edit_21x19.png For Concentrators only, opens a dialog to edit Meta Fields and Filter values for the Concentrator.
netwitness_ic-editsrv.png Enables you to enter the administrator credentials of the selected aggregate service so that it can communicate with the Broker or Concentrator.
netwitness_startaggr_109x21.png When aggregation has been stopped or has not started, starts aggregating data from the online service in the list using the rules defined for the service.
netwitness_icon-stopaggregation_101x20.png When aggregation is in progress, stops aggregation on the Broker or Concentrator. This stops all services and flushes the index, which may take several minutes to complete. It is necessary to stop aggregate services in order to perform various administrative procedures.
netwitness_togglesvc.png Toggles the state of a service between offline and online. Only data from online service is consumed during aggregation.

The Aggregate Services section list has these columns.

Column Description
Address Lists the address of the service.
Port Lists the port on which the service listens. The default ports are:
  • 50001 for Log Collectors
  • 50002 for Log Decoders
  • 50003 for Brokers
  • 50004 for Decoders
  • 50005 for Concentrators
  • 50007 for other services
Rate Lists the number of metadata objects being written to the database per second. Values are rolling average samples over a short time period (10 seconds). After capture stops, the rate is reset to 0.
Max Lists the maximum number of metadata objects written to the database per second since capture started. Values are rolling average samples over a short time period (10 seconds). After capture stops, Max continues to show the maximum value during capture.
Behind Lists the number of sessions on the service that need to be aggregated.
Collection For Brokers only, indicates the collection that was selected when the Analyst Workbench service was added to the Aggregate Services section.
Meta Fields For Concentrators only, lists the types of metadata being consumed by the aggregate service.
Filter For Concentrators only, a rule expression (as used in a ‘where’ clause) can be used to filter the results. You must add a meta key along with an operator and a value, for example ip.src !=127.0.0.1 && word exists
Meta Include For Concentrators only, lists the number of types of meta included in the aggregate service.
Grouped Whether or not the aggregate service is part of a group.
Status Lists the current status of the service:
  • online = available to provide data for consumption by the Broker or Concentrator
  • offline = not available to provide data for consumption by the Broker or Concentrator
  • consuming = providing data for consumption by the Broker or Concentrator

System Configuration Section

The System Configuration section manages service configuration for a service. When a service is first added, default values are in effect. You can edit these values to tune performance.

netwitness_servicesconfigview1_systemconfig.png
The System Configuration section has these parameters.

Parameter Description
Compression The minimum number of bytes that must be transmitted per response before compression. A setting of 0 disables compression. The default value is 0.
A change in value is effective immediately for all subsequent connections.
Port The port on which the service listens. The default ports are:
  • 50001 for Log Collectors
  • 50002 for Log Decoders
  • 50003 for Brokers
  • 50004 for Decoders
  • 50005 for Concentrators
  • 50007 for other services
SSL FIPS Mode When enabled (on), the security of data transmission is managed by encrypting information and providing authentication with SSL certificates. The default value is off.
SSL Port Indicates the SSL port.
Stat Update Interval The number of milliseconds between statistic updates on the system. Lower numbers cause more frequent updates and can slow down other processes. The default value is 1000.
A change in value is effective immediately.
Threads The number of threads in the thread pool to handle incoming requests. A setting of 0 lets the system decide. The default value is 15.
A change takes effect on service restart.

Aggregation Configuration Section

The Aggregation Configuration section provides configuration settings that affect various aspects of the aggregation process. When you click Apply, the changes are saved; however, not all settings take effect immediately. The tables for Aggregation Settings and Service Heartbeat provide details.

Caution: Do not change any of these settings unless guided by the Developers or the Customer Support team. Contact the Customer Support for any questions before editing any of these settings.

netwitness_servicesconfigview1_aggregationconfiguration_477x311.png

The following table describes the aggregation settings

Setting Description
Aggregate Autostart Option to start aggregation automatically each time the Broker or Concentrator is started. Checked means yes, unchecked means no. This change takes effect immediately.
Aggregate Hours The number of hours back for each service that the Concentrator or Broker attempts to recover at the beginning of aggregation. This change takes effect immediately.
  • If the value is set to 0, aggregation for each service starts where it last left off, no matter the number of hours behind.
  • If the value is any positive integer, the Concentrator or Broker only consumes sessions less than that number of hours back.
For example, if a service's most current session is +10 hours from the last session, this is what happens with two different Aggregate Hours values:
  • With a value of 12, the Concentrator or Broker starts consuming where it left off.
  • With a value of 4, all sessions between 5 and 10 hours back are skipped and the Concentrator or Broker starts consuming the session that started 4 hours back.
Aggregate Interval The number of milliseconds between rounds of service aggregation. All services managed by the Broker or Concentrator request additional rounds of session and metadata to be aggregated. If a Broker or Concentrator is still consuming the previous round of data, it cannot request more until it finishes. Change takes effect immediately.
Aggregate Max Sessions The maximum number of sessions that the Broker or Concentrator requests in a given round of data aggregation. Change takes effect after restart.

Service Heartbeat

In communicating with each aggregate service, Brokers and Concentrators monitor the heartbeat of the service. These parameters specify the timing of the first attempt to reconnect to a service after an error, the next attempt to reconnect, and taking the service offline after failure to reconnect.

Setting Description
Heartbeat Error Restart After a heartbeat error is detected on an aggregate service, specifies the number of seconds for a Broker or Concentrator to wait before attempting a service reconnect.
Heartbeat Next Attempt After a failed attempt to reconnect to an aggregate service, specifies the number of seconds for a Broker or Concentrator to wait before attempting another service reconnect. Change takes effect immediately.
Heartbeat No Response After failing to reconnect to an unresponsive service, specifies the number of seconds for the Broker or Concentrator to wait before taking the unresponsive service offline. Change takes effect immediately.

When editing parameters in the General tab, you must click Apply to save changes.