Environment
Situation
Provide some explanation to the different event buffer settings (Client, Real-time, Database) and kind of behavior that might be expect if you increase or decrease settings.
Resolution
Event router is a component in Collector Manger, whose job is to route Sentinel events to the proper channels on the message bus.
There are two channels where event router could route the events to: Real Time channel and DB channel. Real Time channel is the"normal" channel where events are directed to correlation engine, real time, and database. DB channel is the channel when event are sent to database only, this happens only when there is a global filter to indicate that certain events are sent to database only, or the event is too old, and it is sent to database only. When there is event over flow, "file DB" and "file real time" is used to over flow data to disk.
Collector manager manages buffers in memory before events are sent to the message bus to real time channel or db channel. In case when there is event over flow, collector manager also manages buffers in memory for "file DB" and "file real time" before events are written to disk for later processing.
event-router.propertiesdefines the buffer settings for each of the mechanism mentioned above. The only setting the customer will likely care about tweaking is the"esecurity.router.event.realtime.*"settings, which controls real time flow of events into Sentinel system.
esecurity.router.event.realtime.limit=20000
this setting defines the max # of realtime events that can be held
in memory.
esecurity.router.event.realtime.highWaterMark=0.90
esecurity.router.event.realtime.lowWaterMark=0.50
these 2 settings control the overflow of real time buffer. If the
number of events reaches the high water mark, they will be
overflowed to disk until the low water mark is reached. So if
events are coming in too fast and fill up to 90% of the buffer,
they will be written to disk for resend
esecurity.router.event.realtime.timeout=2000
esecurity.router.event.realtime.batchSize=1000
"timeout" setting controls how often the events are pulled from the
buffer in ms;
"batchSize" setting controls how many events are pulled from the
buffer in a given time; in this case, every 2 seconds, up to 1000
events are pulled off the buffer and sent to sonic message bus
esecurity.router.event.realtime.expiration=120000
this setting defines how old events are allowed to be before they
are considered expired; in this case, after 120 seconds, events are
considered expired and are rerouted to the database only queue.
If the user has high performance Collector Manager severs and wants to push things and try to get the collector manager to put out more events, they could increase the limit, increase the batch size, and decrease the timeout. However, increasing the limit and batch size will also increase the memory that collector manager consumes, so they should make sure they are giving the collector manager lots of memory in the jvm settings in configuration.xml file.
Event overflow
esecurity.router.event.file.database.rootDirectory=events_overflow/database
this setting defines where on disk the overflow database events are written to. In this case, it is written to %esec_home%\data\collector_mgr.cache\events_overflow\database
esecurity.router.event.file.realtime.rootDirectory=events_overflow/realtime
this setting defines where on disk the overflow realtime events are
written to. In this case, it is written to
%esec_home%\data\collector_mgr.cache\events_overflow\realtime
Collector Manager will check for events on file, attempts to read them to the queue for resend, until they expire, then adds them to the db only channel queue
Note:
esecurity.router.event.client.*settings are
obsolete and not in use