- Open the NetMon Web Management interface.
- On the top navigation bar, click Configuration, and then click the Engine tab.
Change any of the parameters, as described in the following table. If you are entering size values, specify the size by entering Bytes, KB, MB, GB, or TB.
If you want to see default values for each field, click the Show Defaults button in the upper-right corner of the page.
Sets the number of threads to be used by the NetMon processing engine. On new installs, the number of threads is set automatically to the calculated recommended number. On upgraded systems, you can see this number by clicking Show Defaults at the top-right corner of the Engine page. If the optimal value differs from the current setting, the default button is highlighted in orange. To set the default, click the default button, and then click Apply Changes.Do not change this value without the help of LogRhythm Support.
Sets the timeout in milliseconds for the Engine's packet capture from the network tap. The default is 1 millisecond. If you notice a problem with dropped packets in the Engine, you can adjust the Input Timeout to a higher number (up to 30 milliseconds).
Input Buffer Size
Defines the input buffer size of the Engine's packet capture, in megabytes. The default is 256 MB. If you notice a problem with dropped packets, you can adjust the Input Buffer Size to a higher number. Values can range from 1 to 1,000 MB.
Worker Max Flow Limit
The maximum number of flows held in memory for each DPI thread.
Size for Small Queues
Size for Large Queues
System-wide value used for queues that do not require much memory (small) or require additional memory (large).
Flow Send Buffer
Flow Receive Buffer
Sets the raw number of flow messages that the Engine can queue between the processing threads (Flow Send Buffer) and the Rule Engine threads (Flow Receive Buffer). A flow is a collection of activity by a single user on a single application. The default is 10,000 flow messages. Values can range from 10 to 100,000 messages. If these parameters are set too high, memory is exhausted. If set too low, the packet processing may be impacted. Flows vary in size based on the quantity of metadata available. Sites with rich metadata (web sessions, Syslog, SMTP, and so on) cannot increase this number as much as sites with shorter metadata.Do not change this value without the help of LogRhythm Support.
Syslog Send Buffer
Syslog Receive Buffer
Sets the maximum number of messages that can be held in the queue if the receiving Agent is not available (for example, the Agent is offline). When these numbers are exceeded, NetMon begins dropping messages. To determine if any Syslog messages were dropped, you can view the Syslog Rate chart in Diagnostics > Interface. Values can range from 10 to 10,000 Syslog messages.Do not change this value without the help of LogRhythm Support. Values that are set too high could result in performance problems because too much memory might be consumed.
64 Byte Buffers (Tiny)
128 Byte Buffers (Small)
256 Byte Buffers (Med)
512 Byte Buffers (Large)
Sets the buffers for the Engine's memory allocation. Values can range from 200,000 to 8,000,000 buffers for each one. You can view the memory pools in the Diagnostics > Engine charts "Engine Memory Allocation." See Analyze Charts in Diagnostics.Do not change this value without the help of LogRhythm Support.
PCAP Write Trigger Time Limit (milliseconds)
The maximum period of time that the writer thread accumulates packets before writing them to disk in PCAP form.
PCAP Flush Trigger Time Limit (milliseconds)
The maximum period of time that the capturer thread accumulates packets before sending a bundle of packets to the writer thread.A flush to the writer thread triggers upon hitting this limit or the "PCAP Flush Trigger Max Size," whichever comes first.
PCAP Flush Trigger Max Size
The maximum number of packet bytes that the capturer thread accumulates before sending a bundle of packets to the writer thread.A flush to the writer thread triggers upon hitting this limit or the "PCAP Flush Trigger Time Limit," whichever comes first.
DPI Pool Max Free
Sets the maximum number of messages kept in free memory during Deep Packet Inspection (DPI). Values can range from 1 to 2,147,483,647 messages. The default is a maximum of 2,000 messages. You can adjust the DPI Pool Max and Min values to improve processing performance.
DPI Pool Min Free
Sets the minimum number of messages kept in free memory during Deep Packet Inspection (DPI). Values can range from 1 to 2,147,483,647 messages. The default is a minimum of 150 messages. You can adjust the DPI Pool Max and Min values to improve processing performance.
DPI Free Percentage
Sets the percentage of how many messages are kept in the free pool for Deep Packet Inspection (DPI). Values can range from 0.001 (0.1 percent) to 1 (100 percent). The default is 0.03 (3 percent). You can adjust this percentage to improve processing performance.
DPI Recycle Threshold
Sets the largest size in bytes for a message before NetMon deletes it. Values can range from 1,024 to 33,554,432 bytes. The default is 2 MB.
Report on Long Running Sessions (seconds)
Sets the interval that NetMon reports to the SIEM and to the Search database. For example, if this value is set to 10 minutes, a new record is generated every 10 minutes until the flow has ended, at which point, a final flow record is generated.
Metadata Index Queue Size
The size of the queue for sending data from the Indexer to Elastic Search.Do not change this value without the help of LogRhythm Support.
Max Repeated Metadata Field Count per Update
Sets a limit on the total number of repeated values for metadata fields that are sent to Elastic Search. By default, no limit is placed on the number of repeated values.Do not change this value without the help of LogRhythm Support.
Pre-Allocation Size of PCAP Chunks
The size of PCAP chunks that are written to disk.Do not change this value without the help of LogRhythm Support.
Pre-Allocation Number of PCAP Chunks
The number of PCAP chunks to send when writing to disk.Do not change this value without the help of LogRhythm Support.
Enable Basic DPI Mode
Turns Basic DPI Mode on or off. In Basic DPI Mode, the packet processing path for protocols tunneled over HTTP is expedited due to the reduced number of data structures that are used in the packet processing pipeline. In this mode, 95% of the protocols classified and attributes extracted remain unchanged.
A small number of protocols are affected, and only when tunneled over HTTP.
m anipang apple_airport babycenter baidu baofeng bbm_audio bbm_video bittorrent capwap dimp facetime filetopia ftp gmail gnutella google_ads google_gen gotomeeting groupwise http_tunnel ica jabber jedi mmse nba netflix opera_update owa ppfilm rss rtmp sharepoint_admin sharepoint_document skype soap spdy spotify ssh uusee yahoo ymail2 zalo
For example, when Yahoo chat is initiated over HTTP, Basic DPI Mode classifies the session as tcp.http instead of tcp.http.yahoo.Enabling Basic DPI Mode significantly reduces the amount of available metadata for the affected protocols. Most system rules do not generate alarms when running in Basic DPI Mode. Custom rules may also not generate alarms if they rely on metadata that is not generated through Basic DPI.Do not change this value without the help of LogRhythm Support.
Enable Classification-Only Mode
Turns Classification-Only mode on or off. When enabled, only the following metadata fields are captured:
CaptureRemoved, FlowCompleted, LatestUpdate, Written, FlowState, Application, ApplicationPath, DebugMessage, Delay, DestIP6, SrcIP6, PacketPath, Session, FlowType, ApplicationID, ChildFlowNumber, FlowSessionCount, DestIP, SrcIP, TotalPackets, DestPort, SrcPort, Protocol, ThreadID, DestBytes, DestBytesDelta, SrcBytes, SrcBytesDelta, TotalBytes, TotalBytesDelta, Duration, FieldCount, DestMAC, SrcMAC, MessageSize, PacketsDelta, TimeDelta, TimePrevious, TimeStart, TimeUpdated, CustomApplication, FieldCountIndexed, RepeatedFieldCount, FlowClassified, VlanID, HttpClientContent, HttpServerContentDo not change this value without the help of LogRhythm Support.
Enable Stateless Protocol Stitching
Turns stateless protocol stitching on or off. This feature consolidates stateless sessions (DNS over UDP) into sessions lasting 5 minutes by default. The length of the session is based on the Report on Long Running Sessions setting. Stateless protocol stitching is enabled by default.For in-depth analysis of DNS traffic, stateless protocol stitching should be disabled. However, for networks with DNS flow rates above 1,000 per second, disabling stateless protocol stitching can have significant, negative performance impact.
- When you are done making changes, click Apply Changes.