• State Verified Answer
  • Replies 1 reply
  • Subscribers 15 subscribers
  • Views 2064 views
  • Users 0 members are here
Options
Related

InTrust Real-Time collection and Agent side Cash

payank shah
over 4 years ago

Hello,

 

Most of the document says when collecting Real-Time data agent has 1.7GB limit before it starts deleting old data, but then document also says that same folder can store unlimited size data when you set AgentCache_FolderSizeLimit to -1.

 

--If you set AgentCache_FolderSizeLimit to -1 how can you increase the 1.7Gb to higher so data gets deleted after example 5 GB.

---Also how what is the directory for real-time collection on the Agent size we can check size of to see if we are hitting 1.7 GB threshold?

--What is the internal that Agent on the server takes the data from security event log and puts in the CACHE to send to InTrust Server.

  • 0 over 4 years ago

    Hi Payank,

    Please find answers below.

    1. We have two types of collection inside the InTrust – Real-Time Collection (RTC) and Scheduled Gathering (often called Classic). On the Agent’s side those collections use different ways to elaborate of collected events before sending them to the server. The Classic one uses Agent log backup method, which could be enabled from Gathering policies -> Datasource properties. So, if that Agent-side Log Backup option enabled, then ‘<Agent_data_path>\proxy_manager\<guid>’ folder will be used as a temporary storage of collected events.

     

    This temporary storage folder (cache) can be managed by next ORG parameters:

    ITRT_RTCacheFileLimitSize

    Sets the maximum size for non-archived agent cache files (Mb). Changes to this parameter take effect on an agent when that agent is restarted. The recommended value is 64.

    ITRT_RTCacheFolderLimitSize

    Sets the maximum size for the agent cache folder (Mb). Changes to this parameter take effect on an agent when that agent is restarted. The recommended value is 1024.

     

    Virtually, size of such cache is limited only by free space on Agent’s drive, but we suggest following up our recommended values. All above is applicable ONLY for Scheduled Gathering, not for Real-Time.

    The real-time collection engine uses a different way to work with gathered events. Every real-time agent has its own outbound queue on the agent host. The queue is implemented as a file buffer in ‘<agent_data_path>\tasks\<guid>\tpvc’ folder, where <guid> is unique GUID of the Agent.

    This outbound queue size is manageable by ITRT_CommAgentMaxSizeCommunicationQueue parameter, default values is set to 1 Gb. Anyway, maximum value of this parameter is 1.7 Gb and can not be increased now. We have a story in our Jira to change this limitation in the future.

    1. Here is no way for InTrust operator to monitor outbound queue size or such folder size. Probably, it could be realized by third-party software in case of size of folders.
    2. We put collected events to the cache every one minute.