Skip to content

Documentation

Service Parameters

Data Server

Service parameters which are found in service configuration files:

parametertypedefault valuedescription
compressDatabooleantrueMessage compression flag
encryptDatabooleantrueMessage encryption flag
throttleCollectionstring“100000”Number of events stored in the message queue at which it will stop sending events. All events will be cached locally
mqHoststring“127.0.0.1”Address of the queuing services
mqPortstring“5672”Port of the queuing services
mqUserNamestring“cq”Username of the queuing services
mqPasswordstring“*******”Encrypted password of the queuing services
mqUseSSLbooleanfalseWhether use tls queue services
tenantstring""Tenant name
useHTTPSTransportbooleanfalseWhether use https transport instead of message queue service
HttpTransportUrlstring“127.0.0.1”Https transport url
CLIENT_ACCESS_TOKENstring“DEFAULT_CLIENT-ACCESS-TOKEN”Https transport access token
UDPSyslogPortstring“5140”UDP syslog server port with process of data
UnprocessedUDPSyslogPortstring“5141”UDP syslog server port without process of data
TCPSyslogPortEnbooleantrueTCP syslog server enable flag
TCPSyslogPortstring“32004”TCP syslog server port with process of data
UDPNetflowPortstring“2055”UDP netflow capture server port
UDPCEFPortstring“5142”UDP CEF format server port
UDPIntrustPortstring“5143”UDP intrust format server port
UDPListenIPstring“0.0.0.0”IPv4 Address For UDP servers to listen
CacheMinimumFreeSpacestring“2048”Minimum space available on disk to write data, in case of throttling
MaximumContainerValuestring“500000”Maximum data stored in container, if flodded udp port data will be discarded and alert will be given
debugLevelstring“0”The debug level as
0-FATAL ERROR,ERROR messages
1-WARNING messages
2-INFO messages
3-DEBUG messages
UDPSyslogPortEnbooleanfalseUDP syslog server port with process of data enable
UnprocessedUDPSyslogPortEnbooleanfalse
UDPNetflowPortEnbooleanfalseUDP netflow capture server enable
UDPCEFPortEnbooleanfalseUDP CEF format server enable
UDPIntrustPortEnbooleanfalseUDP intrust format server enable

Data Acquisition

Service parameters which are found in service configuration files:

config.ini file
parametertypedefault valuedescription
Alternate_DB_HOSTstringtcp://127.0.0.1:3306This is the address of the alternate mysql DB server
Config_DB_HOSTstringtcp://127.0.0.1:3306This is the address of the mysql DB server
Config_DB_DBstringconfigThis is the database name of the mysql DB server
Config_DB_USERstringrootThis is the username of the mysql DB server
Config_DB_PASSWORDstring****This is the password of the mysql DB server

The following are parameters set in application settings:

parametertypedefault valuedescription
EL_Urlstring127.0.0.1Short term storage (Online DataStorage) address
EL_Portstring9200Short term storage (Online DataStorage) port
LIC_PATHstring/var/opt/cyberquest/
dataacquisition/conf/lic
License file path
CLEANUP_CRONstring* * * * *deprecated
bulk_sizestring2000Bulk size to send to short term storage (Online DataStorage)
no_of_threadsstring3deprecated
ServiceDebugLevelstring2The debug level as
0-FATAL ERROR,ERROR messages
1-WARNING messages
2-INFO messages
3-DEBUG messages
RMQ_hoststring127.0.0.1Address of the queuing services
RMQ_usernamestringcqUsername of the queuing services
RMQ_passwordstring********Encrypted password of the queuing services
RMQ_queuestringeventsQueuing services incoming events queue name
maxmindb_pathstring/var/opt/cyberquest/
dataacquisition/bin/GeoIP.mmdb
Location of maxmindb database file
run_collection_serversbooleanfalsedeprecated
throttle_queuestring100000Number of events stored in the message queue at which it will stop sending events. All events will be cached locally.
cache_pathstring/data/dataacquisition/cache/Cache files location
collection_unique_keysstringComputer,EventLog,agent_guidUnique event identifier based of fields enumerated, to identify one asset
el_shardsstring2Template number of shards for short term storage
use_http_ES_DA_clientstring1Whether use http transport for Short term storage (Online DataStorage), if false transport will be used by other means via queue service (fanout)
sendRawDatastring0Whether send raw data to short term storage (Online DataStorage)
writeEventPathstring0Whether send path of the event in CQ system to short term storage (Online DataStorage)
validateDataForELstring1deprecated
GetterThreadNostring3Number of threads to read from incoming events queue
ParserThreadNostring3Number of threads to parse data
RMQPusherThreadNostring2Number of threads to push data to queue service
ELPusherThreadNostring2Number of threads to push data to short term storage (Online DataStorage)
supressRawDatastring1Whether delete raw data to send to long term storage (datastorage)
RedisServerURLstring127.0.0.1Memory based storage address
RedisServerPORTstring6379Memory based storage port
ResyncCachestring0Resync cache if used in default parsers, it will be reset to 0 after setting it to 1
UseDefaultParsersstring1Whether use internal defined parsers for all events
EL_minim_free_spacestring3072Minimum space available on disk used by short term storage (Online DataStorage), in case of throttling
Cache_minim_free_spacestring3072Minimum space available on disk to write data, in case of throttling
LoadDatabasestringfalseWhether load database stored in sql folder
debug_levelstring1The debug level as
0-FATAL ERROR,ERROR messages
1-WARNING messages
2-INFO messages
3-DEBUG messages

Data Correlation

Service parameters which are found in service configuration files:

config.ini file
parametertypedefault valuedescription
Alternate_DB_HOSTstringtcp://127.0.0.1:3306This is the address of the alternate mysql DB server
Config_DB_HOSTstringtcp://127.0.0.1:3306This is the address of the mysql DB server
Config_DB_DBstringconfigThis is the database name of the mysql DB server
Config_DB_USERstringrootThis is the username of the mysql DB server
Config_DB_PASSWORDstring***This is the password of the mysql DB server

The following are parameters set in application settings:

parametertypedefault valuedescription
AplicationGUIDstring334CFC20-F2D3-A7D1-D3B7-DBB79ED69B5CThis is the Server global unique ID , is represented by 32 lowercase/uppercase hexadecimal digits,
displayed in five groups separated by hyphens, in the form 8-4-4-4-12 for a total of 36 characters
EL_Urlstring127.0.0.1Short term storage (Online DataStorage) address
EL_Portstring9200Short term storage (Online DataStorage) port
DebugLevelstring2The debug level as
0-FATAL ERROR,ERROR messages
1-WARNING messages
2-INFO messages
3-DEBUG messages
RMQueueAddressstring127.0.0.1Address of the queuing services
RMQueuePortstring5672Port of the queuing services
RMQueueUserNamestringcqUsername of the queuing services
RMQueuePasswordstring********Encrypted password of the queuing services
RMQueueNamestringDataCorrelationQueuing services incoming events queue name
throttle_queuestring100000Number of events stored in the message queue at which it will stop send events. All events will be cached locally
cache_pathstring/data/datacorrelation/cache/Cache files location
RedisServerURLstring127.0.0.1Memory based storage address
RedisServerPORTstring6379Memory based storage port
restartbool0Restarts data correlation service
PercolatorThreadPoolSizestring3Threadpool for percolator
PercolatorNumberOfContainersstring1Number of containers to be used to percolate

Data Storage

Service parameters which are found in service configuration files:

conf.xml file
parametertypedefault valuedescription
dbDriverstringcom.mysql.jdbc.DriverThis is the driver of the mysql DB server
dbUserNamestringrootThis is the username of the mysql DB server
dbPassstring****This is the password of the mysql DB server
dbUrlstringjdbc:mysql://127.0.0.1:3306/configThis is the address of the mysql DB server
dbAlternateUrlstringjdbc:mysql://127.0.0.1:3306/configThis is the address of the alternate mysql DB server
serverGuidstringD39498A9-1C85-0379-1E78-C161E6FFEEEAThis is the Globally Unique IDentifier(GUID) of server

The following are parameters set in application settings:

parametertypedefault valuedescription
maxEventsPerFilestring20000Specifies the maximum number of events allowed per stored file
fileWriterTimeoutstring60Specifies the timeout interval for the event writer
mqUserNamestringcqSpecifies the administrative username for MQ service access
mqPasswordstring****Specifies user’s password for MQ service
mqHoststring127.0.0.1Specifies the MQ service server. In distributed architectures,
it may differ from the default CYBERQUEST server
mqVhoststring/Specifies the MQ service virtual server. In distributed architectures,
it may differ from the default CYBERQUEST server
mqPortstring5672Specifies the network communication port used by MQ service
mqExchangeNamestringeventsExchangeSpecifies the exchange name used by MQ service
mqQueueNamestringjobCommandsSpecifies the MQ queue name
mqReceiveQueueTypestringfanoutSpecifies the MQ Receive queue type
mqRoutingstringagentsSpecifies the routing path for message queues
mqReceiveCommandExchangeNamestringeventsExchangeSpecifies the MQ Receive command exchange name
mqReceiveCommandQueueNamestringjobCommandsSpecifies the MQ Receive command queue name
mqReceiveCommandQueueTypestringdirectSpecifies the MQ Receive command queue type
mqReceiveCommandRoutingstringserversSpecifies the MQ Receive command routing path
mqSendExchangeNamestringSpecifies the MQ Send exchange name
mqSendQueueNamestringarchiveSpecifies the MQ Send queue name
mqSendRoutingstringagentsSpecifies the MQ Send routing path
mqSendQueueTypestringdirectSpecifies the MQ Send queue type
encryptionPublicKeyFilePathstring/var/opt/cyberquest/
encryption/datastorage/
public_key.txt
Specifies the file path for defined public key
encryptionPrivateKeyFilePathstring/var/opt/cyberquest/
encryption/datastorage/
private_key.txt
Specifies the file path for defined private key
elasticClusterNamestringES.Specifies the Online DataStorage cluster name
elasticHostNamestring127.0.0.1Specifies the Online DataStorage host name
encryptionPrivateKeyPasswordstring***Specifies the password for defined private key
encryptionPrivateKeyPasswordPathstring/var/opt/cyberquest/
encryption/datastorage/
privateKeyPassword.txt
Specifies the file path for defined private key password
fileImportThreadsstring5Specifies how many threads are used for import
mqQueueTypestringdirectSpecifies the queue type
mqReceiveExchangeNamestringDA.publishSpecifies the MQ Receive exchange name
mqReceiveQueueNamestringDataStorageSpecifies the MQ Receive queue name
mqReceiveRoutingstringagentsSpecifies the MQ Receive routing key
mqAlternateHoststring127.0.0.1Specifies the alternate host name to use if the current queue is dead
mqVHoststring/Specifies the MQ Receive virtual host

Windows Agent

You can find all configurable variables in the following table:

parametertypedefault valuedescription
eventSyncQueueSizeinteger10000Number of events sent every 5 seconds
compressDatabooleantrueCompress event data or not
encryptDatabooleantrueEncrypt event data or not
cleanupOlderLogsDaysinteger7Automatic cleanup on agent logs
throttleCollectioninteger10000Threshold at with it will gradually start to collect less events (this value is given by how many messages are waiting in the CYBERQUEST processing server queue)
mqHoststring192.168.200.128CYBERQUEST server host
mqUserNamestringcqCYBERQUEST server username
mqPasswordstring****Hash of the CYBERQUEST server password
HttpTransportUrlstringfalseUsed for cloud deployments and url for sending data to the CYBERQUEST server cloud
CLIENT_ACCESS_TOKENstringfalseAuthentication token for the CYBERQUEST server cloud
mqUseSSLbooleanfalseUse encrypting on the whole connection to the CYBERQUEST server or not