Service Parameters
Data Server
Service parameters which are found in service configuration files:
| parameter | type | default value | description |
|---|---|---|---|
| compressData | boolean | true | Message compression flag |
| encryptData | boolean | true | Message encryption flag |
| throttleCollection | string | "100000" | Number of events stored in the message queue at which it will stop sending events. All events will be cached locally |
| mqHost | string | "127.0.0.1" | Address of the queuing services |
| mqPort | string | "5672" | Port of the queuing services |
| mqUserName | string | "cq" | Username of the queuing services |
| mqPassword | string | "*" | Encrypted password of the queuing services |
| mqUseSSL | boolean | false | Whether use tls queue services |
| tenant | string | "" | Tenant name |
| useHTTPSTransport | boolean | false | Whether use https transport instead of message queue service |
| HttpTransportUrl | string | "127.0.0.1" | Https transport url |
| CLIENT_ACCESS_TOKEN | string | "DEFAULT_CLIENT-ACCESS-TOKEN" | Https transport access token |
| UDPSyslogPort | string | "5140" | UDP syslog server port with process of data |
| UnprocessedUDPSyslogPort | string | "5141" | UDP syslog server port without process of data |
| TCPSyslogPortEn | boolean | true | TCP syslog server enable flag |
| TCPSyslogPort | string | "32004" | TCP syslog server port with process of data |
| UDPNetflowPort | string | "2055" | UDP netflow capture server port |
| UDPCEFPort | string | "5142" | UDP CEF format server port |
| UDPIntrustPort | string | "5143" | UDP intrust format server port |
| UDPListenIP | string | "0.0.0.0" | IPv4 Address For UDP servers to listen |
| CacheMinimumFreeSpace | string | "2048" | Minimum space available on disk to write data, in case of throttling |
| MaximumContainerValue | string | "500000" | Maximum data stored in container, if flodded udp port data will be discarded and alert will be given |
| debugLevel | string | "0" | The debug level as 0-FATAL ERROR,ERROR messages 1-WARNING messages 2-INFO messages 3-DEBUG messages |
| UDPSyslogPortEn | boolean | false | UDP syslog server port with process of data enable |
| UnprocessedUDPSyslogPortEn | boolean | false | |
| UDPNetflowPortEn | boolean | false | UDP netflow capture server enable |
| UDPCEFPortEn | boolean | false | UDP CEF format server enable |
| UDPIntrustPortEn | boolean | false | UDP intrust format server enable |
Data Acquisition
Service parameters which are found in service configuration files:
config.ini file
| parameter | type | default value | description |
|---|---|---|---|
| Alternate_DB_HOST | string | tcp://127.0.0.1:3306 | This is the address of the alternate mysql DB server |
| Config_DB_HOST | string | tcp://127.0.0.1:3306 | This is the address of the mysql DB server |
| Config_DB_DB | string | config | This is the database name of the mysql DB server |
| Config_DB_USER | string | root | This is the username of the mysql DB server |
| Config_DB_PASSWORD | string | **** | This is the password of the mysql DB server |
The following are parameters set in application settings:
| parameter | type | default value | description |
|---|---|---|---|
| EL_Url | string | 127.0.0.1 | Short term storage (elasticsearch) address |
| EL_Port | string | 9200 | Short term storage (elasticsearch) port |
| LIC_PATH | string | /var/opt/cyberquest/ dataacquisition/conf/lic |
License file path |
| CLEANUP_CRON | string | * * * | deprecated |
| bulk_size | string | 2000 | Bulk size to send to short term storage (elasticsearch) |
| no_of_threads | string | 3 | deprecated |
| ServiceDebugLevel | string | 2 | The debug level as 0-FATAL ERROR,ERROR messages 1-WARNING messages 2-INFO messages 3-DEBUG messages |
| RMQ_host | string | 127.0.0.1 | Address of the queuing services |
| RMQ_username | string | cq | Username of the queuing services |
| RMQ_password | string | ** | Encrypted password of the queuing services |
| RMQ_queue | string | events | Queuing services incoming events queue name |
| maxmindb_path | string | /var/opt/cyberquest/ dataacquisition/bin/GeoIP.mmdb |
Location of maxmindb database file |
| run_collection_servers | boolean | false | deprecated |
| throttle_queue | string | 100000 | Number of events stored in the message queue at which it will stop sending events. All events will be cached locally. |
| cache_path | string | /data/dataacquisition/cache/ | Cache files location |
| collection_unique_keys | string | Computer,EventLog,agent_guid | Unique event identifier based of fields enumerated, to identify one asset |
| el_shards | string | 2 | Template number of shards for short term storage |
| use_http_ES_DA_client | string | 1 | Whether use http transport for Short term storage (elasticsearch), if false transport will be used by other means via queue service (fanout) |
| sendRawData | string | 0 | Whether send raw data to short term storage (elasticsearch) |
| writeEventPath | string | 0 | Whether send path of the event in CQ system to short term storage (elasticsearch) |
| validateDataForEL | string | 1 | deprecated |
| GetterThreadNo | string | 3 | Number of threads to read from incoming events queue |
| ParserThreadNo | string | 3 | Number of threads to parse data |
| RMQPusherThreadNo | string | 2 | Number of threads to push data to queue service |
| ELPusherThreadNo | string | 2 | Number of threads to push data to short term storage (elasticsearch) |
| supressRawData | string | 1 | Whether delete raw data to send to long term storage (datastorage) |
| RedisServerURL | string | 127.0.0.1 | Memory based storage address |
| RedisServerPORT | string | 6379 | Memory based storage port |
| ResyncCache | string | 0 | Resync cache if used in default parsers, it will be reset to 0 after setting it to 1 |
| UseDefaultParsers | string | 1 | Whether use internal defined parsers for all events |
| EL_minim_free_space | string | 3072 | Minimum space available on disk used by short term storage (elasticsearch), in case of throttling |
| Cache_minim_free_space | string | 3072 | Minimum space available on disk to write data, in case of throttling |
| LoadDatabase | string | false | Whether load database stored in sql folder |
| debug_level | string | 1 | The debug level as 0-FATAL ERROR,ERROR messages 1-WARNING messages 2-INFO messages 3-DEBUG messages |
Data Correlation
Service parameters which are found in service configuration files:
config.ini file
| parameter | type | default value | description |
|---|---|---|---|
| Alternate_DB_HOST | string | tcp://127.0.0.1:3306 | This is the address of the alternate mysql DB server |
| Config_DB_HOST | string | tcp://127.0.0.1:3306 | This is the address of the mysql DB server |
| Config_DB_DB | string | config | This is the database name of the mysql DB server |
| Config_DB_USER | string | root | This is the username of the mysql DB server |
| Config_DB_PASSWORD | string | *** | This is the password of the mysql DB server |
The following are parameters set in application settings:
| parameter | type | default value | description |
|---|---|---|---|
| AplicationGUID | string | 334CFC20-F2D3-A7D1-D3B7-DBB79ED69B5C | This is the Server global unique ID , is represented by 32 lowercase/uppercase hexadecimal digits, displayed in five groups separated by hyphens, in the form 8-4-4-4-12 for a total of 36 characters |
| EL_Url | string | 127.0.0.1 | Short term storage (elasticsearch) address |
| EL_Port | string | 9200 | Short term storage (elasticsearch) port |
| DebugLevel | string | 2 | The debug level as 0-FATAL ERROR,ERROR messages 1-WARNING messages 2-INFO messages 3-DEBUG messages |
| RMQueueAddress | string | 127.0.0.1 | Address of the queuing services |
| RMQueuePort | string | 5672 | Port of the queuing services |
| RMQueueUserName | string | cq | Username of the queuing services |
| RMQueuePassword | string | ** | Encrypted password of the queuing services |
| RMQueueName | string | DataCorrelation | Queuing services incoming events queue name |
| throttle_queue | string | 100000 | Number of events stored in the message queue at which it will stop send events. All events will be cached locally |
| cache_path | string | /data/datacorrelation/cache/ | Cache files location |
| RedisServerURL | string | 127.0.0.1 | Memory based storage address |
| RedisServerPORT | string | 6379 | Memory based storage port |
| restart | bool | 0 | Restarts data correlation service |
| PercolatorThreadPoolSize | string | 3 | Threadpool for percolator |
| PercolatorNumberOfContainers | string | 1 | Number of containers to be used to percolate |
Data Storage
Service parameters which are found in service configuration files:
conf.xml file
| parameter | type | default value | description |
|---|---|---|---|
| dbDriver | string | com.mysql.jdbc.Driver | This is the driver of the mysql DB server |
| dbUserName | string | root | This is the username of the mysql DB server |
| dbPass | string | **** | This is the password of the mysql DB server |
| dbUrl | string | jdbc:mysql://127.0.0.1:3306/config | This is the address of the mysql DB server |
| dbAlternateUrl | string | jdbc:mysql://127.0.0.1:3306/config | This is the address of the alternate mysql DB server |
| serverGuid | string | D39498A9-1C85-0379-1E78-C161E6FFEEEA | This is the Globally Unique IDentifier(GUID) of server |
The following are parameters set in application settings:
| parameter | type | default value | description |
|---|---|---|---|
| maxEventsPerFile | string | 20000 | Specifies the maximum number of events allowed per stored file |
| fileWriterTimeout | string | 60 | Specifies the timeout interval for the event writer |
| mqUserName | string | cq | Specifies the administrative username for MQ service access |
| mqPassword | string | **** | Specifies user's password for MQ service |
| mqHost | string | 127.0.0.1 | Specifies the MQ service server. In distributed architectures, it may differ from the default CYBERQUEST server |
| mqVhost | string | / | Specifies the MQ service virtual server. In distributed architectures, it may differ from the default CYBERQUEST server |
| mqPort | string | 5672 | Specifies the network communication port used by MQ service |
| mqExchangeName | string | eventsExchange | Specifies the exchange name used by MQ service |
| mqQueueName | string | jobCommands | Specifies the MQ queue name |
| mqReceiveQueueType | string | fanout | Specifies the MQ Receive queue type |
| mqRouting | string | agents | Specifies the routing path for message queues |
| mqReceiveCommandExchangeName | string | eventsExchange | Specifies the MQ Receive command exchange name |
| mqReceiveCommandQueueName | string | jobCommands | Specifies the MQ Receive command queue name |
| mqReceiveCommandQueueType | string | direct | Specifies the MQ Receive command queue type |
| mqReceiveCommandRouting | string | servers | Specifies the MQ Receive command routing path |
| mqSendExchangeName | string | Specifies the MQ Send exchange name | |
| mqSendQueueName | string | archive | Specifies the MQ Send queue name |
| mqSendRouting | string | agents | Specifies the MQ Send routing path |
| mqSendQueueType | string | direct | Specifies the MQ Send queue type |
| encryptionPublicKeyFilePath | string | /var/opt/cyberquest/ encryption/datastorage/ public_key.txt |
Specifies the file path for defined public key |
| encryptionPrivateKeyFilePath | string | /var/opt/cyberquest/ encryption/datastorage/ private_key.txt |
Specifies the file path for defined private key |
| elasticClusterName | string | ES. | Specifies the Elasticsearch cluster name |
| elasticHostName | string | 127.0.0.1 | Specifies the Elasticsearch host name |
| encryptionPrivateKeyPassword | string | *** | Specifies the password for defined private key |
| encryptionPrivateKeyPasswordPath | string | /var/opt/cyberquest/ encryption/datastorage/ privateKeyPassword.txt |
Specifies the file path for defined private key password |
| fileImportThreads | string | 5 | Specifies how many threads are used for import |
| mqQueueType | string | direct | Specifies the queue type |
| mqReceiveExchangeName | string | DA.publish | Specifies the MQ Receive exchange name |
| mqReceiveQueueName | string | DataStorage | Specifies the MQ Receive queue name |
| mqReceiveRouting | string | agents | Specifies the MQ Receive routing key |
| mqAlternateHost | string | 127.0.0.1 | Specifies the alternate host name to use if the current queue is dead |
| mqVHost | string | / | Specifies the MQ Receive virtual host |
Windows Agent
You can find all configurable variables in the following table:
| parameter | type | default value | description |
|---|---|---|---|
| eventSyncQueueSize | integer | 10000 | Number of events sent every 5 seconds |
| compressData | boolean | true | Compress event data or not |
| encryptData | boolean | true | Encrypt event data or not |
| cleanupOlderLogsDays | integer | 7 | Automatic cleanup on agent logs |
| throttleCollection | integer | 10000 | Threshold at with it will gradually start to collect less events (this value is given by how many messages are waiting in the CYBERQUEST processing server queue) |
| mqHost | string | 192.168.200.128 | CYBERQUEST server host |
| mqUserName | string | cq | CYBERQUEST server username |
| mqPassword | string | VRW7Zl7RreWg9Q== | Hash of the CYBERQUEST server password |
| HttpTransportUrl | string | false | Used for cloud deployments and url for sending data to the CYBERQUEST server cloud |
| CLIENT_ACCESS_TOKEN | string | false | Authentication token for the CYBERQUEST server cloud |
| mqUseSSL | boolean | false | Use encrypting on the whole connection to the CYBERQUEST server or not |