Changing the size of the event queue for the Network IPS
How do you change the queue size for the Network IPS (GX)?
There may be certain circumstances where the default queue size is not large enough. For example, if the SiteProtector server will be down for an extended period of time for maintenance, you may need to increase the rsPostSensorEventQueue so that the uncommitted events are not lost once the event queue becomes full. When SiteProtector is back up, it can then commit the events to SiteProtector.
For this scenario, you can get an idea of how big the rsPostSensorEventQueue should be by determining the following factors:
( length of an anticipated outage in minutes ) * ( average events per minute for the device ) * ( 1536 bytes per event ) = queue size needed in bytes
Note: 1536 bytes is a rough estimate for the event size. This is not accurate for all events and should only be used to get an estimate of the total size needed. The default queue size of 15MB should hold about 10,000 events.
Important: When performing administration tasks via ssh or local console, configuration changes made to your IBM appliance by any user other than admin could degrade appliance performance. Installing or activating other services or applications may also impact appliance performance or security. IBM Infrastructure Security Support will not support configuration changes made using the root user account unless specifically directed by a support engineer or IBM documentation. The following DCF Technote content is supported. Any further changes made that are not included in this document will place your product into an unsupported state and IBM product support may require you to reimage your appliance to restore it to a supported state.
The GX devices use the rsPostSensorEventQueue for events that will be sent to SiteProtector. This queue can be found in /cache/spool/crm/ and has a default value of 15MB (15000000 bytes).
To change the size of this queue, go through the instructions below:
Note: There is not a maximum file size for the rsPostSensorEventQueue file. However, we recommend keeping the queue size close to the default of 15MB and we do not recommend increasing it above 100MB. As you increase the size of this queue, the size is automatically increased at the time of the change (not on an as-needed basis like a text log file might). This file is also kept open as it is constantly being accessed by the driver and the iss-spa process. So, increasing the size of that file increases the baseline file I/O overhead for the device and can significantly impact performance on a heavily subscribed device. Please keep this in mind before changing the rsPostSensorEventQueue size.
- Log in to the appliance using the root account.
- Stop the issDaemon service with the following command:
service issDaemon stop
Note: This will cause a brief disruption in the traffic going through the device. Please be sure to schedule this accordingly.
- Modify the /etc/crm/rsPostLocalProperties.xml file by changing the value field in the line referenced below to the desired size in bytes. This line can be found under the 'event_services' section.
<param name='eventQueueSize' value='15000000' xmlns='http://www.iss.net/cml/Core/PolicyCommon' ordinal='7' />
- Save the changes to the file and start the issDaemon service with the following command:
service issDaemon start
- Verify that the size of the rsPostSensorEventQueue.ADF file located in /cache/spool/crm/ has increased to the desired value.
Note: In pre-4.x firmware releases, there is a second queue called SensorEventQueue. This queue is used to store events that are displayed within the Proventia Manager web interface (LMI). See Technote #1435849 for more information on this. This particular queue is no longer used with 4.x. This information is now stored in a SQLite database called ipsAttacks.db and can be found in /var/iss-db/. Expanding the size of this database file is currently unsupported. However, there can be seven total .db files used; each holding approximately 400,000 events. If all seven of these files are full, it will hold approximately 2.8 million events.
|Security||Proventia Virtualized Network Security Platform||General Information||Firmware||4.6.1, 4.6.2|
More support for:
IBM Security Network Intrusion Prevention System
Software version: 4.6.1, 4.6.2
Operating system(s): Firmware
Reference #: 1641096
Modified date: 2013-06-20