IBM Support

Changing the size of the event queue for the Security Network IPS

Technote (FAQ)


How do you change the queue size for the Security Network IPS (GX)?


YouTube Video
Changing the Network IPS Event Queue Size and Behavior (5:42)
Instructions for changing the IPS Event Queue size and configuring the WRAP behavior

There can be certain circumstances where the default queue size is not large enough. For example, if the SiteProtector server is down for an extended period of time for maintenance, you might need to increase the rsPostSensorEventQueue so that the uncommitted events are not lost once the event queue becomes full. When SiteProtector is back up, it can then commit the events to SiteProtector.

For this scenario, you can get an idea of how large the rsPostSensorEventQueue should be by determining the following factors:

( length of an anticipated outage in minutes ) * ( average events per minute for the device ) * ( 1536 bytes per event ) = queue size needed in bytes

Note: 1536 bytes is a rough estimate for the event size. This is not accurate for all events and should only be used to get an estimate of the total size needed. The default queue size of 15 MB should hold about 10,000 events.


Important: When performing administration tasks via ssh or local console, configuration changes made to your IBM appliance by any user other than admin could degrade appliance performance. Installing or activating other services or applications may also impact appliance performance or security. IBM Infrastructure Security Support will not support configuration changes made using the root user account unless specifically directed by a support engineer or IBM documentation. The following DCF Technote content is supported. Any further changes made that are not included in this document will place your product into an unsupported state and IBM product support may require you to reimage your appliance to restore it to a supported state.

The GX devices use the rsPostSensorEventQueue for events that are sent to SiteProtector. This queue can be found in /cache/spool/crm/ and has a default value of 15 MB (15000000 bytes).

To change the size of this queue, go through the instructions below:

Note: There is not a maximum file size for the rsPostSensorEventQueue file. However, we recommend keeping the queue size close to the default of 15 MB and we do not recommend increasing it above 100 MB. As you increase the size of this queue, the size is automatically increased at the time of the change (not on an as-needed basis like a text log file might). This file is also kept open as it is constantly being accessed by the driver and the iss-spa process. So, increasing the size of that file increases the baseline file I/O overhead for the device and can significantly impact performance on a heavily subscribed device. Keep this in mind before changing the rsPostSensorEventQueue size.
  1. Log in to the appliance by using the root account.
  2. Stop the issDaemon service with the following command: service issDaemon stop
    This causes a brief disruption in the traffic that is going through the device. Be sure to schedule this accordingly.
  3. Modify the /etc/crm/rsPostLocalProperties.xml file by changing the value field in the line that is referenced below to the desired size in bytes. This line can be found under the 'event_services' section.
    <param name='eventQueueSize' value='15000000' xmlns='' ordinal='7' />
  4. Save the changes to the file and start the issDaemon service with the following command: service issDaemon start
  5. Verify that the size of the rsPostSensorEventQueue.ADF file that is located in /cache/spool/crm/ has increased to the desired value.

Cross reference information
Segment Product Component Platform Version Edition
Security Proventia Virtualized Network Security Platform General Information Firmware 4.6.1, 4.6.2

Document information

More support for: IBM Security Network Intrusion Prevention System
General Information

Software version: 4.6.1, 4.6.2

Operating system(s): Firmware

Reference #: 1641096

Modified date: 02 April 2018

Translate this page: