Changing size of the event queue for the Proventia Network IPS in firmware 1.x, 2.x, and 3.x
How do you change the size of the event queue for the Proventia Network IPS (G/GV/GX) in firmware 1.x, 2.x, and 3.x?
Important: When performing administration tasks via SSH or local console, configuration changes made to your IBM appliance by any user other than admin could degrade appliance performance. Installing or activating other services or applications may also impact appliance performance or security. IBM Infrastructure Security Support will only support configuration changes made through the admin configuration menu unless specifically directed by a Support Engineer or IBM documentation. Any other changes will place the product into an unsupported state. Users may be required to reimage the system to restore it to a supported state.
There may be certain circumstances where the default queue size is not large enough. For example, if the SiteProtector server will be down for an extended period of time for maintenance, you may need to increase the rsPostSensorEventQueue so that the uncommitted events are not lost once the event queue becomes full. When SiteProtector is back up, it can then commit the events to SiteProtector.
For this scenario, you can get an idea of how big the rsPostSensorEventQueue should be by determining the following factors:
( length of an anticipated outage in minutes ) * ( average events per minute for the device ) * ( 1536 bytes per event ) = queue size needed in bytes
Note: 1536 bytes is a rough estimate for the event size. This is not accurate for all events and should only be used to get an estimate of the total size needed. The default queue size of 15MB should hold about 10,000 events.
The Proventia Network IPS (G/GV/GX) devices at firmware 1.x, 2.x, and 3.x use two different queues to handle events that are detected by the appliance (for firmware 4.x, see Technote 1641096). These queues are referenced below:
- /cache/spool/crm/SensorEventQueue.ADF: This queue is used to show events on the local web interface (Proventia Manager or LMI). The default value is 15MB (15000000 bytes).
- /cache/spool/crm/rsPostSensorEventQueue.ADF: This queue is used for events that will be sent to SiteProtector. The default value is 15MB (15000000 bytes).
To modify the SensorEventQueue, follow the instructions below:
- From the SiteProtector Console's Agent view, right-click on the GX you wish to change and click on Manage Policy.
Note: If the device is not registered with SiteProtector, you will need to open the Proventia Manager Web Interface and open the Local Tuning Parameters policy. So, you can skip step 1 and 2 if the device is not registered with SiteProtector.
- On the left-hand side under Agent-Specific Policies, open the Local Tuning Parameters policy.
- Within the Local Tuning Parameters policy, go to the Alert Queue tab.
- Modify the value in Proventia Manager alert queue max size field with your desired queue size and save/deploy the policy.
Note: You can modify the queue size from a minimum of 10KB to a maximum of 100MB (10000 to 100000000 bytes).
The size of the rsPostSensorEventQueue cannot be modified through the SiteProtector console or through the LMI. To increase the size of the rsPostSensorEventQueue, follow the steps below:
Note: There is a maximum file size of 2GB (2147483648 bytes) for the rsPostSensorEventQueue file. However, we recommend keeping the queue size close to the default of 15MB and we do not recommend increasing it above 100MB. As you increase the size of this queue, the size is automatically increased at the time of the change (not on an as-needed basis like a text log file might). This file is also kept open as it is constantly being accessed by the driver and the iss-spa process. So, increasing the size of that file increases the baseline file I/O overhead for the device and can significantly impact performance on a heavily subscribed device. Keep this in mind before changing the rsPostSensorEventQueue size.
- Login to the appliance using the root account.
- Stop the issDaemon service with the following command:
service issDaemon stop
Note: This will cause a brief disruption in the traffic going through the device. Be sure to schedule this accordingly.
- Modify the /etc/crm/rsPostLocalProperties.xml file by changing the value field in the line referenced below to the desired size in bytes. This line can be found under the 'event_services' section.
<param name='eventQueueSize' value='15000000' xmlns='http://www.iss.net/cml/Core/PolicyCommon' ordinal='3'/>
- Save the changes to the file and start the issDaemon service with the following command:
service issDaemon start
- Verify that the size of the rsPostSensorEventQueue.ADF file located in /cache/spool/crm/ has increased to the desired value.
|Security||Proventia Virtualized Network Security Platform||Firmware||3.3|
More support for:
IBM Security Network Intrusion Prevention System
Software version: 1.8, 2.5, 3.3
Operating system(s): Firmware
Reference #: 1435849
Modified date: 20 June 2013