Service Parameters
Data Server
Service parameters which are found in service configuration files:
parameter | type | default value | description |
---|---|---|---|
compressData | boolean | true | Message compression flag |
encryptData | boolean | true | Message encryption flag |
throttleCollection | string | "100000" | Number of events stored in the message queue at which it will stop sending events. All events will be cached locally |
mqHost | string | "127.0.0.1" | Address of the queuing services |
mqPort | string | "5672" | Port of the queuing services |
mqUserName | string | "cq" | Username of the queuing services |
mqPassword | string | "*" | Encrypted password of the queuing services |
mqUseSSL | boolean | false | Whether use tls queue services |
tenant | string | "" | Tenant name |
useHTTPSTransport | boolean | false | Whether use https transport instead of message queue service |
HttpTransportUrl | string | "127.0.0.1" | Https transport url |
CLIENT_ACCESS_TOKEN | string | "DEFAULT_CLIENT-ACCESS-TOKEN" | Https transport access token |
UDPSyslogPort | string | "5140" | UDP syslog server port with process of data |
UnprocessedUDPSyslogPort | string | "5141" | UDP syslog server port without process of data |
TCPSyslogPortEn | boolean | true | TCP syslog server enable flag |
TCPSyslogPort | string | "32004" | TCP syslog server port with process of data |
UDPNetflowPort | string | "2055" | UDP netflow capture server port |
UDPCEFPort | string | "5142" | UDP CEF format server port |
UDPIntrustPort | string | "5143" | UDP intrust format server port |
UDPListenIP | string | "0.0.0.0" | IPv4 Address For UDP servers to listen |
CacheMinimumFreeSpace | string | "2048" | Minimum space available on disk to write data, in case of throttling |
MaximumContainerValue | string | "500000" | Maximum data stored in container, if flodded udp port data will be discarded and alert will be given |
debugLevel | string | "0" | The debug level as 0-FATAL ERROR,ERROR messages 1-WARNING messages 2-INFO messages 3-DEBUG messages |
UDPSyslogPortEn | boolean | false | UDP syslog server port with process of data enable |
UnprocessedUDPSyslogPortEn | boolean | false | |
UDPNetflowPortEn | boolean | false | UDP netflow capture server enable |
UDPCEFPortEn | boolean | false | UDP CEF format server enable |
UDPIntrustPortEn | boolean | false | UDP intrust format server enable |
Data Acquisition
Service parameters which are found in service configuration files:
config.ini file
parameter | type | default value | description |
---|---|---|---|
Alternate_DB_HOST | string | tcp://127.0.0.1:3306 | This is the address of the alternate mysql DB server |
Config_DB_HOST | string | tcp://127.0.0.1:3306 | This is the address of the mysql DB server |
Config_DB_DB | string | config | This is the database name of the mysql DB server |
Config_DB_USER | string | root | This is the username of the mysql DB server |
Config_DB_PASSWORD | string | **** | This is the password of the mysql DB server |
The following are parameters set in application settings:
parameter | type | default value | description |
---|---|---|---|
EL_Url | string | 127.0.0.1 | Short term storage (elasticsearch) address |
EL_Port | string | 9200 | Short term storage (elasticsearch) port |
LIC_PATH | string | /var/opt/cyberquest/ dataacquisition/conf/lic |
License file path |
CLEANUP_CRON | string | * * * | deprecated |
bulk_size | string | 2000 | Bulk size to send to short term storage (elasticsearch) |
no_of_threads | string | 3 | deprecated |
ServiceDebugLevel | string | 2 | The debug level as 0-FATAL ERROR,ERROR messages 1-WARNING messages 2-INFO messages 3-DEBUG messages |
RMQ_host | string | 127.0.0.1 | Address of the queuing services |
RMQ_username | string | cq | Username of the queuing services |
RMQ_password | string | ** | Encrypted password of the queuing services |
RMQ_queue | string | events | Queuing services incoming events queue name |
maxmindb_path | string | /var/opt/cyberquest/ dataacquisition/bin/GeoIP.mmdb |
Location of maxmindb database file |
run_collection_servers | boolean | false | deprecated |
throttle_queue | string | 100000 | Number of events stored in the message queue at which it will stop sending events. All events will be cached locally. |
cache_path | string | /data/dataacquisition/cache/ | Cache files location |
collection_unique_keys | string | Computer,EventLog,agent_guid | Unique event identifier based of fields enumerated, to identify one asset |
el_shards | string | 2 | Template number of shards for short term storage |
use_http_ES_DA_client | string | 1 | Whether use http transport for Short term storage (elasticsearch), if false transport will be used by other means via queue service (fanout) |
sendRawData | string | 0 | Whether send raw data to short term storage (elasticsearch) |
writeEventPath | string | 0 | Whether send path of the event in CQ system to short term storage (elasticsearch) |
validateDataForEL | string | 1 | deprecated |
GetterThreadNo | string | 3 | Number of threads to read from incoming events queue |
ParserThreadNo | string | 3 | Number of threads to parse data |
RMQPusherThreadNo | string | 2 | Number of threads to push data to queue service |
ELPusherThreadNo | string | 2 | Number of threads to push data to short term storage (elasticsearch) |
supressRawData | string | 1 | Whether delete raw data to send to long term storage (datastorage) |
RedisServerURL | string | 127.0.0.1 | Memory based storage address |
RedisServerPORT | string | 6379 | Memory based storage port |
ResyncCache | string | 0 | Resync cache if used in default parsers, it will be reset to 0 after setting it to 1 |
UseDefaultParsers | string | 1 | Whether use internal defined parsers for all events |
EL_minim_free_space | string | 3072 | Minimum space available on disk used by short term storage (elasticsearch), in case of throttling |
Cache_minim_free_space | string | 3072 | Minimum space available on disk to write data, in case of throttling |
LoadDatabase | string | false | Whether load database stored in sql folder |
debug_level | string | 1 | The debug level as 0-FATAL ERROR,ERROR messages 1-WARNING messages 2-INFO messages 3-DEBUG messages |
Data Correlation
Service parameters which are found in service configuration files:
config.ini file
parameter | type | default value | description |
---|---|---|---|
Alternate_DB_HOST | string | tcp://127.0.0.1:3306 | This is the address of the alternate mysql DB server |
Config_DB_HOST | string | tcp://127.0.0.1:3306 | This is the address of the mysql DB server |
Config_DB_DB | string | config | This is the database name of the mysql DB server |
Config_DB_USER | string | root | This is the username of the mysql DB server |
Config_DB_PASSWORD | string | *** | This is the password of the mysql DB server |
The following are parameters set in application settings:
parameter | type | default value | description |
---|---|---|---|
AplicationGUID | string | 334CFC20-F2D3-A7D1-D3B7-DBB79ED69B5C | This is the Server global unique ID , is represented by 32 lowercase/uppercase hexadecimal digits, displayed in five groups separated by hyphens, in the form 8-4-4-4-12 for a total of 36 characters |
EL_Url | string | 127.0.0.1 | Short term storage (elasticsearch) address |
EL_Port | string | 9200 | Short term storage (elasticsearch) port |
DebugLevel | string | 2 | The debug level as 0-FATAL ERROR,ERROR messages 1-WARNING messages 2-INFO messages 3-DEBUG messages |
RMQueueAddress | string | 127.0.0.1 | Address of the queuing services |
RMQueuePort | string | 5672 | Port of the queuing services |
RMQueueUserName | string | cq | Username of the queuing services |
RMQueuePassword | string | ** | Encrypted password of the queuing services |
RMQueueName | string | DataCorrelation | Queuing services incoming events queue name |
throttle_queue | string | 100000 | Number of events stored in the message queue at which it will stop send events. All events will be cached locally |
cache_path | string | /data/datacorrelation/cache/ | Cache files location |
RedisServerURL | string | 127.0.0.1 | Memory based storage address |
RedisServerPORT | string | 6379 | Memory based storage port |
restart | bool | 0 | Restarts data correlation service |
PercolatorThreadPoolSize | string | 3 | Threadpool for percolator |
PercolatorNumberOfContainers | string | 1 | Number of containers to be used to percolate |
Data Storage
Service parameters which are found in service configuration files:
conf.xml file
parameter | type | default value | description |
---|---|---|---|
dbDriver | string | com.mysql.jdbc.Driver | This is the driver of the mysql DB server |
dbUserName | string | root | This is the username of the mysql DB server |
dbPass | string | **** | This is the password of the mysql DB server |
dbUrl | string | jdbc:mysql://127.0.0.1:3306/config | This is the address of the mysql DB server |
dbAlternateUrl | string | jdbc:mysql://127.0.0.1:3306/config | This is the address of the alternate mysql DB server |
serverGuid | string | D39498A9-1C85-0379-1E78-C161E6FFEEEA | This is the Globally Unique IDentifier(GUID) of server |
The following are parameters set in application settings:
parameter | type | default value | description |
---|---|---|---|
maxEventsPerFile | string | 20000 | Specifies the maximum number of events allowed per stored file |
fileWriterTimeout | string | 60 | Specifies the timeout interval for the event writer |
mqUserName | string | cq | Specifies the administrative username for MQ service access |
mqPassword | string | **** | Specifies user's password for MQ service |
mqHost | string | 127.0.0.1 | Specifies the MQ service server. In distributed architectures, it may differ from the default CYBERQUEST server |
mqVhost | string | / | Specifies the MQ service virtual server. In distributed architectures, it may differ from the default CYBERQUEST server |
mqPort | string | 5672 | Specifies the network communication port used by MQ service |
mqExchangeName | string | eventsExchange | Specifies the exchange name used by MQ service |
mqQueueName | string | jobCommands | Specifies the MQ queue name |
mqReceiveQueueType | string | fanout | Specifies the MQ Receive queue type |
mqRouting | string | agents | Specifies the routing path for message queues |
mqReceiveCommandExchangeName | string | eventsExchange | Specifies the MQ Receive command exchange name |
mqReceiveCommandQueueName | string | jobCommands | Specifies the MQ Receive command queue name |
mqReceiveCommandQueueType | string | direct | Specifies the MQ Receive command queue type |
mqReceiveCommandRouting | string | servers | Specifies the MQ Receive command routing path |
mqSendExchangeName | string | Specifies the MQ Send exchange name | |
mqSendQueueName | string | archive | Specifies the MQ Send queue name |
mqSendRouting | string | agents | Specifies the MQ Send routing path |
mqSendQueueType | string | direct | Specifies the MQ Send queue type |
encryptionPublicKeyFilePath | string | /var/opt/cyberquest/ encryption/datastorage/ public_key.txt |
Specifies the file path for defined public key |
encryptionPrivateKeyFilePath | string | /var/opt/cyberquest/ encryption/datastorage/ private_key.txt |
Specifies the file path for defined private key |
elasticClusterName | string | ES. | Specifies the Elasticsearch cluster name |
elasticHostName | string | 127.0.0.1 | Specifies the Elasticsearch host name |
encryptionPrivateKeyPassword | string | *** | Specifies the password for defined private key |
encryptionPrivateKeyPasswordPath | string | /var/opt/cyberquest/ encryption/datastorage/ privateKeyPassword.txt |
Specifies the file path for defined private key password |
fileImportThreads | string | 5 | Specifies how many threads are used for import |
mqQueueType | string | direct | Specifies the queue type |
mqReceiveExchangeName | string | DA.publish | Specifies the MQ Receive exchange name |
mqReceiveQueueName | string | DataStorage | Specifies the MQ Receive queue name |
mqReceiveRouting | string | agents | Specifies the MQ Receive routing key |
mqAlternateHost | string | 127.0.0.1 | Specifies the alternate host name to use if the current queue is dead |
mqVHost | string | / | Specifies the MQ Receive virtual host |
Windows Agent
You can find all configurable variables in the following table:
parameter | type | default value | description |
---|---|---|---|
eventSyncQueueSize | integer | 10000 | Number of events sent every 5 seconds |
compressData | boolean | true | Compress event data or not |
encryptData | boolean | true | Encrypt event data or not |
cleanupOlderLogsDays | integer | 7 | Automatic cleanup on agent logs |
throttleCollection | integer | 10000 | Threshold at with it will gradually start to collect less events (this value is given by how many messages are waiting in the CYBERQUEST processing server queue) |
mqHost | string | 192.168.200.128 | CYBERQUEST server host |
mqUserName | string | cq | CYBERQUEST server username |
mqPassword | string | VRW7Zl7RreWg9Q== | Hash of the CYBERQUEST server password |
HttpTransportUrl | string | false | Used for cloud deployments and url for sending data to the CYBERQUEST server cloud |
CLIENT_ACCESS_TOKEN | string | false | Authentication token for the CYBERQUEST server cloud |
mqUseSSL | boolean | false | Use encrypting on the whole connection to the CYBERQUEST server or not |