InTrust 11.6.1 - Integration into SIEM Solutions Through Event Forwarding

Chatee ahora con Soporte

Obtener ayuda en vivo
Completar registro

Iniciar sesión

Solicitar precios

Comuníquese con Ventas

Integration into SIEM Solutions Through Syslog Forwarding

Turning Forwarding On and Off Data Conversion Formats Recommended Event Forwarding Scenario Event Filtering Example: Set Up Forwarding to SecureWorks Example: Set Up Forwarding to Splunk Example: Mirroring InTrust Real-Time Alerts in SIEM How Event Forwarding Statistics Can Help You Fine-Tuning Forwarding with Organization Parameters

How Event Forwarding Statistics Can Help You

The event forwarding engine provides the following performance counters on the InTrust server where it runs:

Forwarded Events
Forwarded Events/sec
Processed Events
Processed Events/sec
Forwarded Bytes
Forwarded Bytes/sec

By analyzing these counters in the Performance Monitor, you can diagnose event forwarding problems and tailor your forwarded event traffic to your available bandwidth. See the following examples:

What the counters show	What it might mean
There are roughly as many forwarded events as processed events.	You are forwarding everything, which may not be what you really want. You could reduce SIEM costs by using forwarding filters.
The rate of forwarded bytes per second is very high for the bandwidth you have available.	You can save bandwidth by using forwarding filters.
There seems to be zero forwarding activity according to the counters.	Your current forwarding filters may be too restrictive. Try reconfiguring them.

Fine-Tuning Forwarding with Organization Parameters

InTrust provides several organization parameters as a way to tweak the operation of the event forwarding system. These parameters are organization-wide and affect all InTrust servers in the organization.

For details about where to change the parameters, see Organization Parameter Editor.

Organization parameter	Details
FORWARDING_MAX_SESSION_DURATION_SECONDS	This is the time-to-live of a TCP connection in seconds. By default, there is no limit. The value of this parameter cannot be lower than one-tenth the system TcpTimedWaitDelay value, which is defined manually (as DWORD) in the HKEY_LOCAL_ MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters registry key and is assumed to be 120 seconds by default. Therefore, you should not set the value of FORWARDING_MAX_SESSION_DURATION_SECONDS lower than 12.
FORWARDING_SESSION_KEEP_ALIVE_SECONDS	This is the interval in seconds for sending keep-alive packets over an idle TCP connection.
FORWARDING_MESSAGE_FRAMING	Whether to perform non-transparent (0) or octet-counting (1) message transfer, as detailed in RFC 6578.
FORWARDING_RETENTION_EXPIRATION_PERIOD_SECONDS	How old (in seconds) data must be to be marked for deletion. When data reaches this age, you get a warning in InTrust Deployment Manager. The default value is 86400 (24 hours).
FORWARDING_RETENTION_ENFORCEMENT_PERIOD_SECONDS	How long (in seconds) old data must still be available after it is marked for deletion. When this time elapses, the data is actually deleted. The default value is 86400 (24 hours).

Documentos relacionados

The document was helpful.

Seleccionar calificación

I easily found the information I needed.

Seleccionar calificación

Seleccione su producto:

Con el fin de ofrecerle un mejor servicio, complete el campo Motivo del chat:

Soluciones recomendadas para su problema

InTrust 11.6.1 - Integration into SIEM Solutions Through Event Forwarding

How Event Forwarding Statistics Can Help You

Fine-Tuning Forwarding with Organization Parameters