How do you change the size of the event queue for the Proventia Network IPS (G/GV/GX) in firmware 1.x, 2.x, and 3.x?
There may be certain circumstances where the default queue size is not large enough. For example, if the SiteProtector server will be down for an extended period of time for maintenance, you may need to increase the rsPostSensorEventQueue so that the uncommitted events are not lost once the event queue becomes full. When SiteProtector is back up, it can then commit the events to SiteProtector.
For this scenario, you can get an idea of how big the rsPostSensorEventQueue should be by determining the following factors:
(length of an anticipated outage in minutes) * (average events per minute for the device) * (1536 bytes per event) = queue size needed in bytes
Note: 1536 bytes is a rough estimate for the event size. This is not accurate for all events and should only be used to get an estimate of the total size needed. The default queue size of 15MB should hold about 10,000 events.
The Proventia Network IPS (G/GV/GX) devices at firmware 1.x, 2.x, and 3.x use two different queues to handle events that are detected by the appliance (for firmware 4.x, please see Technote 1641096). These queues are referenced below:
- /cache/spool/crm/SensorEventQueue.ADF: This queue is used to show events on the local web interface (Proventia Manager or LMI). The default value is 15MB (15000000 bytes).
- /cache/spool/crm/rsPostSensorEventQueue.ADF: This queue is used for events that will be sent to SiteProtector. The default value is 15MB (15000000 bytes).
To modify the SensorEventQueue, please follow the instructions below:
- Open the Local Tuning Parameters policy from the SiteProtector console (or from the LMI if the sensor is not registered with SiteProtector).
- Within the Local Tuning Parameters policy, go to the Alert Queue tab.
- Modify the value in Proventia Manager alert queue max size field with your desired queue size.
Note: You can modify the queue size from a minimum of 10KB to a maximum of 100MB (10000 to 100000000 bytes).
The size of the rsPostSensorEventQueue cannot be modified through the SiteProtector console or through the LMI. To increase the size of the rsPostSensorEventQueue, follow the steps below:
Note: There is not a maximum file size for the rsPostSensorEventQueue file. However, we recommend keeping the queue size close to the default of 15MB and we do not recommend increasing it above 100MB. As you increase the size of this queue, the size is automatically increased at the time of the change (not on an as-needed basis like a text log file might). This file is also kept open as it is constantly being accessed by the driver and the iss-spa process. So, increasing the size of that file increases the baseline file I/O overhead for the device and can significantly impact performance on a heavily subscribed device. Please keep this in mind before changing the rsPostSensorEventQueue size.
- Login to the appliance using the root account.
- Stop the issDaemon service with the following command: service issDaemon stop
Note: This will cause a brief disruption in the traffic going through the device. Please be sure to schedule this accordingly.
- Modify the /etc/crm/rsPostLocalProperties.xml file by changing the value field in the line referenced below to the desired size in bytes. This line can be found under the 'event_services' section.
<param name='eventQueueSize' value='15000000' xmlns='http://www.iss.net/cml/Core/PolicyCommon' ordinal='3'/>
- Save the changes to the file and start the issDaemon service with the following command: service issDaemon start
- Verify that the size of the rsPostSensorEventQueue.ADF file located in /cache/spool/crm/ has increased to the desired value.
If the above information does not resolve your issue, please contact IBM Security Systems Technical Support.
|Security||Proventia Virtualized Network Security Platform||Firmware||3.1, 3.3|