Skip to content

Service Parameters

Data Server

Service parameters which are found in service configuration files:

parameter type default value description
compressData boolean true Message compression flag
encryptData boolean true Message encryption flag
throttleCollection string "100000" Number of events stored in the message queue at which it will stop sending events. All events will be cached locally
mqHost string "127.0.0.1" Address of the queuing services
mqPort string "5672" Port of the queuing services
mqUserName string "cq" Username of the queuing services
mqPassword string "*" Encrypted password of the queuing services
mqUseSSL boolean false Whether use tls queue services
tenant string "" Tenant name
useHTTPSTransport boolean false Whether use https transport instead of message queue service
HttpTransportUrl string "127.0.0.1" Https transport url
CLIENT_ACCESS_TOKEN string "DEFAULT_CLIENT-ACCESS-TOKEN" Https transport access token
UDPSyslogPort string "5140" UDP syslog server port with process of data
UnprocessedUDPSyslogPort string "5141" UDP syslog server port without process of data
TCPSyslogPortEn boolean true TCP syslog server enable flag
TCPSyslogPort string "32004" TCP syslog server port with process of data
UDPNetflowPort string "2055" UDP netflow capture server port
UDPCEFPort string "5142" UDP CEF format server port
UDPIntrustPort string "5143" UDP intrust format server port
UDPListenIP string "0.0.0.0" IPv4 Address For UDP servers to listen
CacheMinimumFreeSpace string "2048" Minimum space available on disk to write data, in case of throttling
MaximumContainerValue string "500000" Maximum data stored in container, if flodded udp port data will be discarded and alert will be given
debugLevel string "0" The debug level as
0-FATAL ERROR,ERROR messages
1-WARNING messages
2-INFO messages
3-DEBUG messages
UDPSyslogPortEn boolean false UDP syslog server port with process of data enable
UnprocessedUDPSyslogPortEn boolean false
UDPNetflowPortEn boolean false UDP netflow capture server enable
UDPCEFPortEn boolean false UDP CEF format server enable
UDPIntrustPortEn boolean false UDP intrust format server enable

Data Acquisition

Service parameters which are found in service configuration files:

config.ini file
parameter type default value description
Alternate_DB_HOST string tcp://127.0.0.1:3306 This is the address of the alternate mysql DB server
Config_DB_HOST string tcp://127.0.0.1:3306 This is the address of the mysql DB server
Config_DB_DB string config This is the database name of the mysql DB server
Config_DB_USER string root This is the username of the mysql DB server
Config_DB_PASSWORD string **** This is the password of the mysql DB server

The following are parameters set in application settings:

parameter type default value description
EL_Url string 127.0.0.1 Short term storage (elasticsearch) address
EL_Port string 9200 Short term storage (elasticsearch) port
LIC_PATH string /var/opt/cyberquest/
dataacquisition/conf/lic
License file path
CLEANUP_CRON string * * * deprecated
bulk_size string 2000 Bulk size to send to short term storage (elasticsearch)
no_of_threads string 3 deprecated
ServiceDebugLevel string 2 The debug level as
0-FATAL ERROR,ERROR messages
1-WARNING messages
2-INFO messages
3-DEBUG messages
RMQ_host string 127.0.0.1 Address of the queuing services
RMQ_username string cq Username of the queuing services
RMQ_password string ** Encrypted password of the queuing services
RMQ_queue string events Queuing services incoming events queue name
maxmindb_path string /var/opt/cyberquest/
dataacquisition/bin/GeoIP.mmdb
Location of maxmindb database file
run_collection_servers boolean false deprecated
throttle_queue string 100000 Number of events stored in the message queue at which it will stop sending events. All events will be cached locally.
cache_path string /data/dataacquisition/cache/ Cache files location
collection_unique_keys string Computer,EventLog,agent_guid Unique event identifier based of fields enumerated, to identify one asset
el_shards string 2 Template number of shards for short term storage
use_http_ES_DA_client string 1 Whether use http transport for Short term storage (elasticsearch), if false transport will be used by other means via queue service (fanout)
sendRawData string 0 Whether send raw data to short term storage (elasticsearch)
writeEventPath string 0 Whether send path of the event in CQ system to short term storage (elasticsearch)
validateDataForEL string 1 deprecated
GetterThreadNo string 3 Number of threads to read from incoming events queue
ParserThreadNo string 3 Number of threads to parse data
RMQPusherThreadNo string 2 Number of threads to push data to queue service
ELPusherThreadNo string 2 Number of threads to push data to short term storage (elasticsearch)
supressRawData string 1 Whether delete raw data to send to long term storage (datastorage)
RedisServerURL string 127.0.0.1 Memory based storage address
RedisServerPORT string 6379 Memory based storage port
ResyncCache string 0 Resync cache if used in default parsers, it will be reset to 0 after setting it to 1
UseDefaultParsers string 1 Whether use internal defined parsers for all events
EL_minim_free_space string 3072 Minimum space available on disk used by short term storage (elasticsearch), in case of throttling
Cache_minim_free_space string 3072 Minimum space available on disk to write data, in case of throttling
LoadDatabase string false Whether load database stored in sql folder
debug_level string 1 The debug level as
0-FATAL ERROR,ERROR messages
1-WARNING messages
2-INFO messages
3-DEBUG messages

Data Correlation

Service parameters which are found in service configuration files:

config.ini file
parameter type default value description
Alternate_DB_HOST string tcp://127.0.0.1:3306 This is the address of the alternate mysql DB server
Config_DB_HOST string tcp://127.0.0.1:3306 This is the address of the mysql DB server
Config_DB_DB string config This is the database name of the mysql DB server
Config_DB_USER string root This is the username of the mysql DB server
Config_DB_PASSWORD string *** This is the password of the mysql DB server

The following are parameters set in application settings:

parameter type default value description
AplicationGUID string 334CFC20-F2D3-A7D1-D3B7-DBB79ED69B5C This is the Server global unique ID , is represented by 32 lowercase/uppercase hexadecimal digits,
displayed in five groups separated by hyphens, in the form 8-4-4-4-12 for a total of 36 characters
EL_Url string 127.0.0.1 Short term storage (elasticsearch) address
EL_Port string 9200 Short term storage (elasticsearch) port
DebugLevel string 2 The debug level as
0-FATAL ERROR,ERROR messages
1-WARNING messages
2-INFO messages
3-DEBUG messages
RMQueueAddress string 127.0.0.1 Address of the queuing services
RMQueuePort string 5672 Port of the queuing services
RMQueueUserName string cq Username of the queuing services
RMQueuePassword string ** Encrypted password of the queuing services
RMQueueName string DataCorrelation Queuing services incoming events queue name
throttle_queue string 100000 Number of events stored in the message queue at which it will stop send events. All events will be cached locally
cache_path string /data/datacorrelation/cache/ Cache files location
RedisServerURL string 127.0.0.1 Memory based storage address
RedisServerPORT string 6379 Memory based storage port
restart bool 0 Restarts data correlation service
PercolatorThreadPoolSize string 3 Threadpool for percolator
PercolatorNumberOfContainers string 1 Number of containers to be used to percolate

Data Storage

Service parameters which are found in service configuration files:

conf.xml file
parameter type default value description
dbDriver string com.mysql.jdbc.Driver This is the driver of the mysql DB server
dbUserName string root This is the username of the mysql DB server
dbPass string **** This is the password of the mysql DB server
dbUrl string jdbc:mysql://127.0.0.1:3306/config This is the address of the mysql DB server
dbAlternateUrl string jdbc:mysql://127.0.0.1:3306/config This is the address of the alternate mysql DB server
serverGuid string D39498A9-1C85-0379-1E78-C161E6FFEEEA This is the Globally Unique IDentifier(GUID) of server

The following are parameters set in application settings:

parameter type default value description
maxEventsPerFile string 20000 Specifies the maximum number of events allowed per stored file
fileWriterTimeout string 60 Specifies the timeout interval for the event writer
mqUserName string cq Specifies the administrative username for MQ service access
mqPassword string **** Specifies user's password for MQ service
mqHost string 127.0.0.1 Specifies the MQ service server. In distributed architectures,
it may differ from the default CYBERQUEST server
mqVhost string / Specifies the MQ service virtual server. In distributed architectures,
it may differ from the default CYBERQUEST server
mqPort string 5672 Specifies the network communication port used by MQ service
mqExchangeName string eventsExchange Specifies the exchange name used by MQ service
mqQueueName string jobCommands Specifies the MQ queue name
mqReceiveQueueType string fanout Specifies the MQ Receive queue type
mqRouting string agents Specifies the routing path for message queues
mqReceiveCommandExchangeName string eventsExchange Specifies the MQ Receive command exchange name
mqReceiveCommandQueueName string jobCommands Specifies the MQ Receive command queue name
mqReceiveCommandQueueType string direct Specifies the MQ Receive command queue type
mqReceiveCommandRouting string servers Specifies the MQ Receive command routing path
mqSendExchangeName string Specifies the MQ Send exchange name
mqSendQueueName string archive Specifies the MQ Send queue name
mqSendRouting string agents Specifies the MQ Send routing path
mqSendQueueType string direct Specifies the MQ Send queue type
encryptionPublicKeyFilePath string /var/opt/cyberquest/
encryption/datastorage/
public_key.txt
Specifies the file path for defined public key
encryptionPrivateKeyFilePath string /var/opt/cyberquest/
encryption/datastorage/
private_key.txt
Specifies the file path for defined private key
elasticClusterName string ES. Specifies the Elasticsearch cluster name
elasticHostName string 127.0.0.1 Specifies the Elasticsearch host name
encryptionPrivateKeyPassword string *** Specifies the password for defined private key
encryptionPrivateKeyPasswordPath string /var/opt/cyberquest/
encryption/datastorage/
privateKeyPassword.txt
Specifies the file path for defined private key password
fileImportThreads string 5 Specifies how many threads are used for import
mqQueueType string direct Specifies the queue type
mqReceiveExchangeName string DA.publish Specifies the MQ Receive exchange name
mqReceiveQueueName string DataStorage Specifies the MQ Receive queue name
mqReceiveRouting string agents Specifies the MQ Receive routing key
mqAlternateHost string 127.0.0.1 Specifies the alternate host name to use if the current queue is dead
mqVHost string / Specifies the MQ Receive virtual host

Windows Agent

You can find all configurable variables in the following table:

parameter type default value description
eventSyncQueueSize integer 10000 Number of events sent every 5 seconds
compressData boolean true Compress event data or not
encryptData boolean true Encrypt event data or not
cleanupOlderLogsDays integer 7 Automatic cleanup on agent logs
throttleCollection integer 10000 Threshold at with it will gradually start to collect less events (this value is given by how many messages are waiting in the CYBERQUEST processing server queue)
mqHost string 192.168.200.128 CYBERQUEST server host
mqUserName string cq CYBERQUEST server username
mqPassword string VRW7Zl7RreWg9Q== Hash of the CYBERQUEST server password
HttpTransportUrl string false Used for cloud deployments and url for sending data to the CYBERQUEST server cloud
CLIENT_ACCESS_TOKEN string false Authentication token for the CYBERQUEST server cloud
mqUseSSL boolean false Use encrypting on the whole connection to the CYBERQUEST server or not