Modify Data Processor Advanced Properties
Make changes to the Data Processor Advanced Properties with extreme care! LogRhythm recommends that the Data Processor Advanced Properties only be modified with the assistance of LogRhythm Support, or by advanced users who have attended LogRhythm training.
To modify the advanced properties of a data processor:
- On the main toolbar, click Deployment Manager.
- Click the Data Processors tab.
- Double-click the Data Processor you want to configure.
- Click the Advanced button at the lower-left corner. 
 The Advanced Properties window appears.
- Find the component you want to configure and adjust the settings in the Value column according to the information in the following table. - Property - Range - Default - Description - AIE Provider: Provider - ClientAddress - IPv4/IPv6 address the AI Engine Data Provider will use to connect to the AI Communication Manager for data/management communications. Only use a static IP address. Do not use DHCP. - Default is blank (recommended.) - LocalLogLifeTime - 1-30 - 7 - Time to keep AI Engine Data Provider application logs (in days). - LogLevel - Warning - Sets the AI Engine Data Provider logging level. The log is written to the lraiedp.log file. - AIE Provider: Sending - CompressionStrength - 0-10 - 5 - The compression level to use when sending logs to the AI Engine Communication Manager. Values from 1-10 indicate the compression strength where 0 is off/no compression. Stronger compression requires more CPU to compress and uncompress the data. - FlushBatch - 1000-10000 - 1000 - The (maximum) number of logs that should be batched and sent to the AI Engine Communication Manager during each socket send. - MaxDataQueueSize - 10-2048 - 256 - The maximum size of the AI Engine Data Provider's in-memory data queue (in MB). When the queue size exceeds this amount, incoming logs will be buffered into spool files until the queue size is reduced. - MaxSpoolStorage - 0-1024 - 20 - The maximum amount of storage available to hold AI Engine Data Provider spooled data filed (in GB). When the amount of space the spool files occupy exceeds this amount, the oldest spool files will be deleted. - SendAfterXLogsQueued - 1-100000 - 100 - The threshold number of logs in the queue required to send logs to the AI Engine Communication Manager, independent of time. - SendAfterXSecondsElapsed - 1-3600 - 10 - The threshold number of records required to send logs to the AI Engine Communication Manager, independent of number of logs. - AIE Provider: TCP/IP - SocketConnectionTimeout - 1-300 - 120 - AI Engine Data Provider socket connection timeout (in seconds). - SocketDontLinger - Enabled - AI Engine Data Provider don't linger socket option. Close the socket gracefully without lingering. - SocketNoDelay - Enabled - AI Engine Data Provider no delay socket option. Disable the Nagle algorithm for send coalescing. - SocketReceiveBuffer - 16384-65535 - 65535 - AI Engine Data Provider socket receiver buffer (in bytes). - SocketReceiveTimeout - 1-300 - 60 - AI Engine Data Provider socket receive timeout (in seconds). - SocketReuseAddress - Enabled - AI Engine Data Provider reuse address socket option. Allow the socket to be bound to an address that is already in use. - SocketSendBuffer - 16384-65535 - 65535 - AI Engine Data Provider socket send buffer (in bytes). - SocketSendTimeout - 1-300 - 60 - AI Engine Data Provider socket send timeout (in seconds). - AIE Provider: TLS Security - AIEComMgrTLSCertOCSPURL - OCSP URL for AIE ComMgr TLS certificate revocation checking. - AIEDPTLSCertLocation - LocalMachine - AI Engine Data Provider TLS certificate location. Values: LocalMachine or CurrentUser - AIEDPTCertStore - MY - AI Engine Data Provider TLS certificate store. Values: MY or Root - AIEDPTLSCertSubject - AI Engine Data Provider TLS certificate subject. Example values: CN=10.1.0.79 or CN=lr-0872ed-msa or CN=lr-0872ed-msa.exampledomain.com. - EnforceAIEComMgrTLSCertRevocation - Disabled - Enforce AI Engine Communication Manager TLS certificate revocation check. - EnforceAIEComMgrTLSCertTrust - Disabled - Enforce AI Engine Communication Manager TLS certificate trusted authority check. - UseAIEDPTLSCert - Disabled - Enable AI Engine Data Provider client TLS certificate. - Mediator: DataIndexerProvider - DataLingerTimeoutMiliSec - 1-10000 - 1000 - The data socket linger timeout (in milliseconds). - DataQueueHighWaterMark - 10000-100000 - 100000 - The high water mark for the Data Indexer data queue. - DataSendTimeoutMilliSec - 0-10000 - 250 - The data socket send timeout (in milliseconds). - ParseQueueThreadCount - 1-25 - 3 - The maximum number of unparsed messages that will be serialized concurrently. - StatsLingerTimeoutMilliSec - 1-10000 - 1000 - The data socket linger timeout (in milliseconds). - StatsQueueHighWaterMark - 10000-100000 - 10000 - The high water mark for the Data Indexer stats queue. - StatsSendTimeoutMilliSec - 0-10000 - 0 - The stats socket send timeout (in milliseconds). - ThreadJoinTimeoutMilliSec - 1000-10000 - 5000 - The maximum amount of time to wait for the Data Indexer provider threads to exit on shutdown. - UnparsedItemsQueueSize - 10000-10000000 - 250000 - The number of unparsed reliable messages allowed to accumulate in memory before the Mediator goes into a Suspend state. - Mediator: General - ActiveArchivePath - C:\LogRhythmArchives \Active - Archiving directory path (full path to the directory in which archive files are written). If the requested directory does not exist, it is created. - ActiveArchiveProtection - File size and last modification date tracking - Active archive protection mode - File size and last modification date tracking
- No Protections
- Full SHA1 hashing of archive files
 - ArchiveAge - 1-7 - 7 - Maximum days an archive can live in active directory (in days). - ArchiveBatch - 1000-10000000 - 102400 - The number of logs that are allowed to build up in the archive queue before being processed by the archiver. - ArchiveByEntity - Disabled - Stores inactive archives according to entity structure. - ArchiveCompression - Enabled - Determines if inactive archive files are gzip compressed - ArchiveSize - 1024-131072 - 10240 - Maximum size for archive before moving to inactive directory (in KB). - ArchiveWriteThreadCount - 1-20 - 3 - The maximum number of archives that will be serialized and written to disk concurrently. - AutomaticLogSource ConfigurationNetflow - Disabled - Automatic Log Source Configuration (Netflow/J-Flow Sources). When enabled, the Data Processor automatically registers new message sources for NetFlow/J-Flow sending devices which can be automatically identified. - AutomaticLogSource ConfigurationsFlow - Disabled - Automatic Log Source Configuration (sFlow Sources). When enabled, the Data Processor automatically registers new message sources for sFlow sending devices which can be automatically identified. - AutomaticLogSource ConfigurationSNMPTimeout - 1-120 - 10 - Automatic Log Source Configuration (SNMP Discovery). Defines the timeout value (in seconds) for SNMP communications used in SNMP Device Identification. - AutomaticLogSource ConfigurationSNMPTrap - Disabled - Automatic Log Source Configuration (SNMP Trap Sources). When enabled, the Data Processor automatically registers new message sources for SNMP trap sending devices which can be automatically identified. - AutomaticLogSource ConfigurationSyslog - Disabled - Automatic Log Source Configuration (Syslog Sources). When enabled the Data Processor automatically registers new message sources for syslog sending devices which can be automatically identified. - ClientSocket ReceiveTimeout - 1000-7200000 - 60000 - Client socket receive timeout for Agent socket connections (in ms). - ClientSocketSendTimeout - 1000-7200000 - 60000 - Client socket send timeout for Agent socket connections (in ms). - ComponentVersion - The version of this LogRhythm component - ConnectionTimeout - 3-7200 - 120 - Connection timeout for Agent socket connections (in seconds). - InactiveArchivePath - C:\LogRhythmArchives \Inactive - Directory (full path) where the inactive archive files are written. If the requested directory does not exist, it is created. - InactiveArchiveProtection - Full SHA1 hashing of archive files - Inactive archive protection mode - File size and last modification date tracking
- No Protections
- Full SHA1 hashing of archive files
 - InactiveSubdirectory FileCount - 100-10000 - 10000 - Inactive archive subdirectory maximum file count. - LocalLogLifetime - 1-30 - 7 - The number of days to keep Mediator and MPE log files. - LogLevel - VERBOSE - Sets the Data Processor logging level (log written to scmedsvr.log) - MaxAgentUpdates - 1-10000 - 10 - The maximum number of concurrent Agent updates that can be delivered. - MaxConnections - 0-10000 - 100 - Maximum number of Agent connections to allow. - MaxLogArchivingRate - 0-10000 - 0 - Maximum rate at which logs can be archived. - MaxLogProcessingRate - 0-100000 - 0 - Maximum rate at which logs can be processed. - MaxLogReceiveRate - 0-100000 - 0 - Maximum rate at which logs can be received. - MaxServiceMemory - 512-65536 - 1024 - Maximum memory allowed for the Data Processor process (in MB). - MaxUnprocessed 
 DiskQueueSpace- 0-1000 - 100 - The maximum amount of space (in GB) to be used by the Unprocessed Log Disk Queue. A value of 0 indicates no maximum. - A warning event is written when 80% of the specified space is used. If the maximum is reached, the mediator goes into suspend mode. - MinAgentSocketSecurity - TLS 1.2 - Sets the minimum encryption standard to be used for Agent connections. - TLS 1.0: the Mediator generates a 1024-bit key. - Because this is an outdated version that has been improved upon by later versions, Exabeam does not recommend using this option. 
- TLS 1.2: the Mediator generates a 2048-bit key. This is the default and recommended option for all LogRhythm SIEM versions prior to 7.19.
- TLS 1.3: Newly added for LogRhythm SIEM version 7.19 is TLS 1.3. If the System Monitor and Data Processor both support TLS 1.3 (both are version 7.19 or higher), this option should be selected for the best performance and protection.
 - MinUnprocessed 
 DiskQueueSpace- 1-1000 - 1 - The minimum amount of space (in GB) that must be available on the volume that the Unprocessed Log Disk Queue spool files are being written to. - If the minimum is reached, the mediator goes into suspend mode. - ProcessPriority - Normal - Process priority for the Data Processor process. - QueueSize - 10000-500000 - 20000 - The maximum size of the archive queue and the unprocessed log queue. - SecondaryServerIP - An external facing IP address that an Agent can use to connect to the Mediator. This IP address will be used by Agents when they can't connect using the Primary Server IP address (ServerIP). The Secondary Server IP/Port must be forwarded to the Primary Server IP/Port by a firewall or router. - This parameter must be a static IP v4/v6 address with a maximum length of 45 or a DNS name with a maximum length of 255. DNS names are only supported for version 6.x System Monitors and later. - You must configure your firewall or router to forward this IP/Port to the Primary Server. This is important for deployments that use NAT. - SecondaryServerSSLPort - 1-65535 - 443 - The external facing IP port to use with the Secondary Server IP address. The Secondary Server IP/Port must be forwarded to the Primary Server IP/Port by a firewall or router. - ServerDNS - DNS address that agents will use to connect to this Data Processor. If this parameter is not specified, Agents uses the ServerIP address to connect to this Data Processor. - If you created custom certificates for the Mediator, this must match the DNS name specified in the custom certificate. - ServerIP - IPv4 address that the Data Processor listens on for Agent communications. This parameter must be a static IPv4 address with a maximum length of 16 - ServerIPv6 - IPv6 address that the Data Processor listens on for Agent communications. This parameter must be a static IPv6 address with a maximum length of 45. - ServerSSLPort - 1-65535 - 443 - Port that the Data Processor listens on for Agent communications. - TertiaryServerIP - An external facing IP address or DNS name that an Agent outside the network can use to connect to the Mediator. This IP address will be used by Agents when they can't connect using the Primary or Secondary Server IP addresses (ServerIP/SecondaryServerIP). The Tertiary Server IP/Port must be forwarded to the Primary Server IP/Port by a firewall or router. This parameter must be a static IP v4/v6 address with a maximum length of 45 or a DNS name with a maximum length of 255. DNS names are only supported for version 6.x System Monitors and later. - You must configure your firewall or router to forward this IP/Port to the Tertiary Server. This is important for deployments that use NAT. - TertiaryServerSSLPort - 1-65535 - 443 - The external facing IP port to use with the Tertiary Server IP address. The Tertiary Server IP/Port must be forwarded to the Primary Server IP/Port by a firewall or router. - Unprocessed 
 DiskQueueLocation- The directory where Data Processor unprocessed log disk queue spool files are written. - The default directory is the mediator state folder. After changing the directory location, any remaining spool files must be manually moved to the new location. - Mediator: InsertManagerEM - AllowAutomaticRateOverride - Enabled - Enable/disable automatic event insert rate override. - BatchInterval - 1-300 - 5 - This value determines how often (in seconds) batches are submitted to the Platform Manager database for insertion. - Max Insert Batch is determined at startup by the Max Insert Rate and Batch Interval. - DiskQueueLocation - The directory where Platform Manager Insert Manager disk queue spool files are written. - The default directory is the mediator state folder. After changing the directory location, any remaining spool files must be manually moved to the new location. - MaxAutomaticInsert 
 RateOverridePercent- 10-100 - 50 - The maximum override percentage that is applied to Max Insert Rate throttling level. - MaxEMInsert 
 DiskQueueSpace- 0-1000 - 100 - The maximum amount of space (in GB) to be used by the PM Insert Manager Disk Queue. A value of 0 indicates no maximum. - A warning event is written when 80% of the specified space is used. If the maximum is reached, the oldest spool files are deleted until the space used by the spool files is less than the specified maximum. - MaxInsertRate - 1-100000 - 3000 - This value determines the maximum number of Platform Manager logs that will be inserted per second. The insertion rate will not exceed this value. Note that this value is based on the performance profile of the system. - MinEMInsert 
 DiskQueueSpace- 1-1000 - 1 - The minimum of amount of space (in GB) that must be available on the volume that the PM Insert Disk Queue spool files are being written to. - If the minimum is reached, the oldest spool files are deleted until the space used by the spool files is above the specified minimum. - SystemMaxInsertBatch - 100-100000 - 50000 - This is a fixed constant that determines the maximum number of inserts the system will process in a single batch. - Mediator: LDS - LDSDistributionQueueSize - 1000-100000 - 10000 - Specify the size for each log distribution receiver queue. Every receiver has its own queue. If this queue reaches maximum size, logs will be dropped. However setting queue size too high could result in excessive memory utilization. - LDSDistributionThreadCount - 1-100 - 10 - Specify the number of threads to use for the log distribution receiver process. - LDSEngineQueueSize - 1000-500000 - 60000 - Specify the size of primary log distribution queue. If this queue reaches maximum size, logs will be dropped. However setting queue size too high could result in excessive memory utilization. - LDSEngineThreadCount - 1-100 - 5 - Specify the number of threads to use for the primary log distribution process. - Mediator: TLSCertificates - AgentTLSCertOCSPURL - The OCSP URL for Agent certificate revocation checking. - EnforceAgentTLSCert Revocation - Disabled - Enforce Agent Certificate Revocation Check. If this fails, the Mediator will disconnect from the Agent and logs will be written to the scmedsvr.log. - EnforceAgentTLSCertTrust - Disabled - Enforce Agent certificate Trusted Authority Check. If this fails, the Mediator will disconnect from the Agent and logs will be written to the scmedsvr.log. - MediatorTLSCertLocation - The location of the Windows certificate where the Mediator server certificates are installed--can be LocalMachine or CurrentUser. - MediatorTLSCertStore - The Windows certificate store where the Mediator server certificate is installed--can be MY or ROOT. - MediatorTLSCertSubject - The Subject of the server certificate that the Mediator should use (e.g., CN=190.1.2.123 or CN=lr-0870eds-msa or CN=lr-0870eds-msa.secious.com). - RequireAgentTLSCert - Disabled - Require agents to present a client certificate when connecting. - UseMediatorTLSCert - Disabled - If checked, the Mediator will use the specified server certificate when connecting with Agents; otherwise, the Mediator will use a self-generated/signed certificate (default). - Mediator: Unidirectional Agent - Enabled - Disabled - Check to enable unidirectional Agent communications with the Data Processor. - Mediator Port - 1-65535 - 40000 - Specifies the Data Processor port to use when running in Unidirectional Agent mode. - MPE: Engine - CacheSize_Dimension - 1000-1000000 - 10000 - Specify the size for the unique metadata value cache. There are nine metadata caches containing unique metadata values for processed log messages. The larger the queue size the more unique values will be stored in memory resulting in more efficient log processing. However setting queue size too high could result in excessive memory utilization. - CacheSize_Msg - 100000-5000000 - 200000 - Specify the size for the unique log message cache. The larger the queue size, the more unique log messages will be stored in memory resulting in more efficient online log storage. However setting queue size too high could result in excessive memory utilization. - DataAndIndexCompression - None - Specifies the level of compression to apply to data and indices. - This is obsolete in the current version and changing its value has no impact on indexing and compression. - DenormalizeLogMetadata - True - Setting this property to false reduces data transmission volume at the cost of normalizing enumerable values. Metadata fields such as Log Source Type and Common Event will be presented as ID numbers instead of readable text. Disabling this feature decreases the usability of downstream features such as Log Distribution Service and full text search. - DNSCachedRecordTTL - 5-1440 - 15 - The time to live for cached DNS Name to Known Host to IP host resolution records (in minutes). - DNSCacheMaintCycle - 1-60 - 5 - The frequency to launch DNS cache maintenance (in minutes). - DNSCacheRecord ExternalIPToNameTTL - 5-1440 - 15 - The time to live for cached DNS external IP to Name host resolution records (in minutes). - DNSCacheRecord InternalIPToNameTTL - 5-1440 - 5 - The time to live for cached DNS private/internal IP to Name host resolution records (in minutes). - DNSIPToName - Off - IP to Name DNS resolution mode. - Values: Off, Resolve All, Resolve Internal - Resolve IP addresses to their associated DNS names. - DNSLogLevel - Error - The logging level for the DNS resolution engine. - DNSNameToIP - Disabled - Resolve DNS names to their associated IP addresses. - DNSResolveMsgSourceHostIP - Enabled - Resolve host IP addresses when logs match a rule where the source or destination is assigned to the message source host. - GeoIPResolutionMode - None - The level of detail to resolve for Geographic IP lookup. - Options = None, Country, Region, and City. If this is left set to None, GeoIP location will not be resolved for logs or Network Visualization. - LogProcessingThreads - 1-50 - 10 - The number of log processing threads. - PerfOptimizedLogIndexing - Disabled - Enables or disables performance-optimized indexing of logs. - RulePerfLogSampleSize - 1-1000 - 10 - The minimum number of logs that must be processed before a rule will be disabled due to not meeting the minimum logs per second requirement. - RulePerfMinLogsPerSecond - 1-1000 - 50 - The minimum allowed average logs per second a rule must meet. - MPE: General - IdentityInference - Enabled - Enables or disables Identity Inference for the MPE (as long as Globally disabled). - LogLevel - WARNING - Sets the MPE logging level (log written to scmpe.log). - Options: Off, Error, Warning, Info, Verbose, Debug - MaintenanceInterval - 1-120 - 60 - How often to perform internal process maintenance (in seconds). - RulePerformanceStatsMode - Off - Rule performance statistics mode: 
 Off - no not write report (lps_detail.log) or data file (lps_stats.dat) locally or submit to LogRhythm (default).
 Local - write the report (lps_detail.log) and data file (lps_stats.dat) locally.
 Local and Send - write the Report (lps_detail.log) and data file (lps_stats.dat) locally and submit to LogRhythm.- RulePerformanceStats 
 SubmitInterval- 1-24 - 24 - How often to submit rule performance information to LogRhythm (in hours). The latest lps_detail.log and lps_stats.dat files will be submitted each interval. - MPE: LogMart - LogMartCommitInterval - 1-120 - 60 - How often (in seconds) the LogMart is updated with new data. - LogMartCommitTimeout - 1-120 - 40 - How long (in seconds) a single commit operation can take before timing out. - MPE: StatKeeper - StatkeeperCommitInterval HeartbeatInfo - 1-300 - 10 - How often (in seconds) heartbeat information is committed to the database. - StatKeeperCommitIntervalLogInfo - 1-300 - 60 - How often (in seconds) log collection statistics are committed to the database. - StatKeeperCommitTimeout - 30-120 - 30 - How long (in seconds) a single commit operation can take before timing out - StatKeeperEnabled - Enabled - Specify if StatKeeper should be enabled. 
