How to disabe IDS collectors in the course of troubleshooting SCSP issues related to the IDS service/daemon

book

Article ID: 181878

calendar_today

Updated On:

Products

Critical System Protection Critical System Protection Client Edition Data Center Security Server Advanced

Issue/Introduction

 

Resolution

How to disable IDS collectors in the course of troubleshooting SCSP issues related to the IDS service/daemon.

If you have an issue you feel is related to IDS it may help to turn off all of the collectors and see if the issue goes away. Once you have tested and confirmed the issue is resolved without any collectors enabled you can then enable them one at a time until the issue returns. If you are not using IDS, or if you are not using that particular feature of IDS, you many also have gained a workaround. This may particularly useful in the case of domain controllers which are logging a very large number of events.
You can confirm that the settings have been applied to the agent by looking at the agent.ini found in the IDS/system folder on the agent, seen below highlighted in yellow.
[Collector Management]
Enable File Collector=1
Enable Event Log Collector=1
Enable Audit Collector=1
Enable Registry Collector=1
Enable Syslog Collector=1
Enable Wtmp Collector=1
Enable Btmp Collector=1
Enable C2 Collector=0 # off by default
Enable IPS Driver Collector=1
 
[Event Management]
Events To Report Per Second=5
EventFile Rollover Type=0
EventFile Rollover Value=10        # Mb
 
[Statistics Management]
Collection Frequency=1200
HeartBeat Frequency=300
 
[File Collector]
Monitor Last Access Time=0
Enable Watched Files Checksum=0
File Collector Recursion Level=2
short poll interval=60                                                                     #seconds, Minimum value is 10
long poll interval=480                                                                     #minutes, Minimum value is 1
 
[Disk Monitor]
Lower Threshold=85
Upper Threshold=95
 
[IDSLogRules]
ids.log.rule.0=SEND"|"v1"|"DAUD,DFWW,DFWU,DGEN,DNTL,DIPS,DRGW,DSYS,DWTM,DUC2"|""|"inc"|"
ids.log.rule.1=SEND"|"v1"|"MSTA,MCON"|""|"inc"|"v4"|"I,C"|""|"inc"|"
ids.log.rule.2=SEND"|"v1"|"MERR,MSTD,MREP"|""|"inc"|"
 
[Log]
log.rule.0=SEND"|"v1"|"PBOP,PFIL,PNET,POSC,PREG,PPRC"|""|"inc"|"
log.rule.1=SEND"|"v1"|"PPST"|""|"eq"|"v4"|"W"|""|"eq"|"
log.rule.2=SEND"|"v1"|"MSTA,MCON"|""|"inc"|"v4"|"I,C"|""|"inc"|"
log.rule.3=SEND"|"v1"|"MERR,MSTD,MREP,MOVR"|""|"inc"|"

Attachments