How do you change the queue size for the Network IPS in firmware 4.x?
There may be certain circumstances where the default queue size is not large enough. For example, if the SiteProtector server will be down for an extended period of time for maintenance, you may need to increase the rsPostSensorEventQueue so that the uncommitted events are not lost once the event queue becomes full. When SiteProtector is back up, it can then commit the events to SiteProtector.
For this scenario, you can get an idea of how big the rsPostSensorEventQueue should be by determining the following factors:
(length of an anticipated outage in minutes) * (average events per minute for the device) * (1536 bytes per event) = queue size needed in bytes
Note: 1536 bytes is a rough estimate for the event size. This is not accurate for all events and should only be used to get an estimate of the total size needed. The default queue size of 15MB should hold about 10,000 events.
The Network IPS devices at firmware 4.x use the rsPostSensorEventQueue for events that will be sent to SiteProtector. This queue can be found in /cache/spool/crm/ and has a default value of 15MB (15000000 bytes).
To change the size of this queue, go through the instructions below:
Note: There is not a maximum file size for the rsPostSensorEventQueue file. However, we recommend keeping the queue size close to the default of 15MB and we do not recommend increasing it above 100MB (100000000 bytes). As you increase the size of this queue, the size is automatically increased at the time of the change (not on an as-needed basis like a text log file might). This file is also kept open as it is constantly being accessed by the driver and the iss-spa process. So, increasing the size of that file increases the baseline file I/O overhead for the device and can significantly impact performance on a heavily subscribed device. Please keep this in mind before changing the rsPostSensorEventQueue size.
- Login to the appliance using the root account.
- Stop the issDaemon service with the following command: service issDaemon stop
Note: This will cause a brief disruption in the traffic going through the device. Please be sure to schedule this accordingly.
- Modify the /etc/crm/rsPostLocalProperties.xml file by changing the value field in the line referenced below to the desired size in bytes. This line can be found under the 'event_services' section.
<param name='eventQueueSize' value='15000000' xmlns='http://www.iss.net/cml/Core/PolicyCommon' ordinal='7' />
- Save the changes to the file and start the issDaemon service with the following command: service issDaemon start
- Verify that the size of the rsPostSensorEventQueue.ADF file located in /cache/spool/crm/ has increased to the desired value.
Note: In pre-4.x firmware releases, there is a second queue called SensorEventQueue. This queue is used to store events that are displayed within the Proventia Manager web interface (LMI). Please see Technote #1435849 for more information on this. This particular queue is no longer used with 4.x. This information is now stored in a SQLite database called ipsAttacks.db and can be found in /var/iss-db/. Expanding the size of this database file is currently unsupported. However, there can be seven total .db files used; each holding approximately 400,000 events. If all seven of these files are full, it will hold approximately 2.8 million events.
If the above information does not resolve your issue, contact IBM Security Systems Technical Support.
|Security||Proventia Virtualized Network Security Platform||Firmware||4.1, 4.3, 4.4, 4.5, 4.6|