The event forwarding engine provides the following performance counters on the InTrust server where it runs:
By analyzing these counters in the Performance Monitor, you can diagnose event forwarding problems and tailor your forwarded event traffic to your available bandwidth. See the following examples:
|
What the counters show |
What it might mean |
|---|---|
|
There are roughly as many forwarded events as processed events. |
You are forwarding everything, which may not be what you really want. You could reduce SIEM costs by using forwarding filters. |
|
The rate of forwarded bytes per second is very high for the bandwidth you have available. |
You can save bandwidth by using forwarding filters. |
|
There seems to be zero forwarding activity according to the counters. |
Your current forwarding filters may be too restrictive. Try reconfiguring them. |
InTrust provides several organization parameters as a way to tweak the operation of the event forwarding system. These parameters are organization-wide and affect all InTrust servers in the organization.
For details about where to change the parameters, see Organization Parameter Editor.
|
Organization parameter |
Details |
|---|---|
|
FORWARDING_MAX_SESSION_DURATION_SECONDS |
This is the time-to-live of a TCP connection in seconds. By default, there is no limit. The value of this parameter cannot be lower than one-tenth the system TcpTimedWaitDelay value, which is defined manually (as DWORD) in the HKEY_LOCAL_ MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters registry key and is assumed to be 120 seconds by default. Therefore, you should not set the value of FORWARDING_MAX_SESSION_DURATION_SECONDS lower than 12. |
|
FORWARDING_SESSION_KEEP_ALIVE_SECONDS |
This is the interval in seconds for sending keep-alive packets over an idle TCP connection. |
|
FORWARDING_MESSAGE_FRAMING |
Whether to perform non-transparent (0) or octet-counting (1) message transfer, as detailed in RFC 6578. |
|
FORWARDING_RETENTION_EXPIRATION_PERIOD_SECONDS |
How old (in seconds) data must be to be marked for deletion. When data reaches this age, you get a warning in InTrust Deployment Manager. The default value is 86400 (24 hours). |
|
FORWARDING_RETENTION_ENFORCEMENT_PERIOD_SECONDS |
How long (in seconds) old data must still be available after it is marked for deletion. When this time elapses, the data is actually deleted. The default value is 86400 (24 hours). |
© ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center
