Configuring STRM Log Manager
Step 4 On the toolbar, click Advanced to display the advanced parameters
The advanced configuration parameters are displayed.
Step 5 Enter values for the parameters:
Step 6 Click Save.
Step 7 Repeat for all Event Collectors in your deployment you want to configure.
Table 8-6 Event Collector Parameters
Parameter Description
Destination Event Processor
Type the destination Event Processor for communications.
Event Forwarding Listen Port
Type the listening port for event forwarding to other non-Console.
Table 8-7 Event Collector Advanced Parameters
Parameter Description
Primary Collector Specifies one of the following values:
• True - Specifies that the Event Collector is located on a Console system.
• False - Specifies that the Event Collector is located on a non-Console system.
Auto Detection Enabled
Type one of the following values:
• Yes - Enables the Event Collector to automatically analyze and accept traffic from previously unknown log sources. The appropriate firewall ports are opened to enable Autodetection to receive events. This is the default.
• No - Prevents the Event Collector from automatically analyzing and accepting traffic from previously unknown log sources.
For more information on configuring log sources, see the STRM Log Manager Log Sources Guide.
Destination Event Processor
Type the destination Event Processor for events if current Event Processor is not the Primary Collector.
The connection to the Destination Event Processor is shown as <Destination Event Processor IP Address>:32005.
Configuring STRM Log Manager Components 137
Configuring an Event Processor
This section provides information on how to configure an Event Processor. For an overview of the Event Processor component, see Building Your Event View. To configure an Event Processor:
Step 1 From either the Event View or System View pages, select the Event Processor you want to configure.
Step 2 From the menu, select Actions > Configure.
NOTE
You can also right-click a component to access the Action menu items.
Step 3 Enter values for the parameters:
Step 4 On the toolbar, click Advanced to display the advanced parameters.
The advanced configuration parameters are displayed.
Step 5 Enter values for the parameters, as necessary:
Table 8-8 Event Processor Parameters
Parameter Description
Event Collector
Connections Listen Port
Type the port that the Event Processor monitors for incoming Event Collector connections. The default value is port 32005.
Event Processor Connections Listen Port
Type the port that the Event Processor monitors for incoming Event Processor connections. The default value is port 32007.
Table 8-9 Event Processor Parameters
Parameter Description
Overflow Routing Threshold
Type the events per second threshold that the Event Processor can manage events. Events over this threshold are placed in the cache.
Step 6 Click Save.
Step 7 Repeat for all Event Processors in your deployment you want to configure.
Configuring an Off-site Source
This section provides information on how to configure an off-site source. For an overview of the off-site source component, see Building Your Event View.
Test Rules Note: The test rules list box in the Deployment Editor is available for non-Console Event Processors only.
Type one of the following options:
• Locally - Rules are tested on the Event Processor and not shared with the system. Testing rules locally is the default for Console Event Processors.
• Globally - Allows individual rules for every Event Processor to be shared and tested system wide.
Each rule can be toggled to Global for detection by any Event Processor on the system.
Note: If a rule is configured to test locally, the Globally option does not override the rule setting.
For example, you can create a rule to alert you when there is five failed login attempts within 5 minutes. The default for the rule is set to local. When the Event Processor containing the local rule observes five failed login attempts, the rule generates a response. When the rule in the example above is set to Global, when five failed login attempts within 5 minutes is detected on any Event Processor, the rule generates a response. This means that when rules are shared globally, the rule can detect when one failed login attempt comes from five separate event processors. Testing rules globally is the default for non-Console Event Processors, with each rule on the Event Processor set to test locally.
Overflow Routing Threshold
Type the events per second threshold that the Event Processor can manage. Events over this threshold are placed in the cache.
Events database path Type the location you want to store events. The default is /store/ariel/events.
Payloads database path Type the location you want to store payload information.
The default is /store/ariel/payloads.
Table 8-9 Event Processor Parameters (continued)
Parameter Description
Configuring STRM Log Manager Components 139
NOTE
When configuring off-site source and target components, we recommend that you deploy the Console with the off-site source first and the Console with the off-site target second to prevent connection errors.
To configure an off-site source component:
Step 1 From either the Event View or System View pages, select the off-site source you want to configure.
Step 2 From the menu, select Actions > Configure.
NOTE
You can also right-click a component to access the Action menu items.
Step 3 Enter values for the parameters:
Step 4 Click Save.
Step 5 Repeat for all off-site sources in your deployment you want to configure.
Configuring an Off-site Target
This section provides information on how to configure an off-site target. For an overview of the off-site target component, see Building Your Event View. NOTE
When configuring off-site source and target components, we recommend that you deploy the Console with the off-site source first and the Console with the off-site target second to prevent connection errors.
To configure an off-site target component:
Step 1 From either the Event View or System View pages, select the off-site target you want to configure.
Step 2 From the menu, select Actions > Configure.
NOTE
You can also right-click a component to access the Action menu items.
Table 8-10 Off-site Source Parameters
Parameter Description
Receive Events Type one of the following values:
• True - Enables the system to receive events from the off-site source host.
• False - Prevents the system from receiving events from the off-site source host.
Step 3 Enter values for the parameters:
Step 4 Click Save.
Table 8-11 Off-site Target Parameters
Parameter Description
Event Collector Listen Port
Type the Event Collector listen port for receiving event data. The default listen port for events is 32004.
If the off-site target system has been upgraded from a previous STRM Log Manager software version, you must change the port from the default (32004) to the port specified in the Event Forwarding Listen Port parameter for the off-site target. For more information on how to access the Event Forwarding Listen port on the off-site target, see Configuring an Event Collector.