Changing the size of the event queue for the Proventia Network IPS in firmware 4.x

Technote (FAQ)


Question

How do you change the queue size for the Proventia Network IPS (GV/GX) in firmware 4.x?

Cause

There may be certain circumstances where the default queue size is not large enough. For example, if the SiteProtector server will be down for an extended period of time for maintenance, you may need to increase the rsPostSensorEventQueue so that the uncommitted events are not lost once the event queue becomes full. When SiteProtector is back up, it can then commit the events to SiteProtector.
For this scenario, you can get an idea of how big the rsPostSensorEventQueue should be by determining the following factors:

(length of an anticipated outage in minutes) * (average events per minute for the device) * (1536 bytes per event) = queue size needed in bytes

Note: 1536 bytes is a rough estimate for the event size. This is not accurate for all events and should only be used to get an estimate of the total size needed. The default queue size of 15MB should hold about 10,000 events.


Answer

The Proventia Network IPS (GV/GX) devices at firmware 4.x use the rsPostSensorEventQueue for events that will be sent to SiteProtector. This queue can be found in /cache/spool/crm/ and has a default value of 15MB (15000000 bytes).


To change the size of this queue, please go through the instructions below:
==========
Note: There is not a maximum file size for the rsPostSensorEventQueue file. However, we recommend keeping the queue size close to the default of 15MB and we do not recommend increasing it above 100MB (100000000 bytes). As you increase the size of this queue, the size is automatically increased at the time of the change (not on an as-needed basis like a text log file might). This file is also kept open as it is constantly being accessed by the driver and the iss-spa process. So, increasing the size of that file increases the baseline file I/O overhead for the device and can significantly impact performance on a heavily subscribed device. Please keep this in mind before changing the rsPostSensorEventQueue size.

  1. Login to the appliance using the root account.

  2. Stop the issDaemon service with the following command: service issDaemon stop

    Note: This will cause a brief disruption in the traffic going through the device. Please be sure to schedule this accordingly.

  3. Modify the /etc/crm/rsPostLocalProperties.xml file by changing the value field in the line referenced below to the desired size in bytes. This line can be found under the 'event_services' section.

    <param name='eventQueueSize' value='15000000' xmlns='http://www.iss.net/cml/Core/PolicyCommon' ordinal='7' />

  4. Save the changes to the file and start the issDaemon service with the following command: service issDaemon start

  5. Verify that the size of the rsPostSensorEventQueue.ADF file located in /cache/spool/crm/ has increased to the desired value.

==========

Note: In pre-4.x firmware releases, there is a second queue called SensorEventQueue. This queue is used to store events that are displayed within the Proventia Manager web interface (LMI). Please see Technote #1435849 for more information on this. This particular queue is no longer used with 4.x. This information is now stored in a SQLite database called ipsAttacks.db and can be found in /var/iss-db/. Expanding the size of this database file is currently unsupported. However, there can be seven total .db files used; each holding approximately 400,000 events. If all seven of these files are full, it will hold approximately 2.8 million events.


If the above information does not resolve your issue, please contact IBM Security Systems Technical Support.

Related information

DCF 1435849


Cross reference information
Segment Product Component Platform Version Edition
Security Proventia Virtualized Network Security Platform Firmware 4.1, 4.3, 4.4, 4.5, 4.6
Security IBM Security Network Intrusion Prevention System Firmware 4.1, 4.3, 4.4, 4.5, 4.6

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

IBM Security Network Intrusion Prevention System

Software version:

4.1, 4.3, 4.4, 4.5, 4.6

Operating system(s):

Firmware

Reference #:

1641096

Modified date:

2013-06-20

Translate my page

Machine Translation

Content navigation