Skip to content
  • There are no suggestions because the search field is empty.

RSA Security Analytics - How the number of open database files is calculated in SA NextGen

Issue

On Packet and Log Decoders, the number of open database files for a particular database type at any one time is calculated for the following 3 settings:

/database/config/meta.files
/database/config/packet.files
/database/config/session.files


On Concentrators , the value is calculated for the following 2 settings:

/database/config/meta.files
/database/config/session.files

Resolution

For 10.4.0 and 10.4.0.1

The number of open files is calculated by the amount of memory present when the service runs for the first time.

Calculation:
The amount of RAM in Gigabytes is rounded up and multiplied by 3 to obtain the number of open files.

Example:
SSH to an appliance, and run the ' free -b' command.  The free command displays total physical memory of 101536456704 bytes in this example:

= 101536456704 / (1024 * 1024 * 1024) = 94.5 GB of RAM
The 94.56 is rounded up to 95, then multiplied by 3 which equals 285. 


For 10.4.0.2

The number of open files is calculated by the amount of memory present when the service runs for the first time (constrained by a maximum value to avoid disk contention on decoders).

Decoder Calculation:
The amount of RAM in Gigabytes is rounded up and multiplied by 2 to calculate the number of open files. The value is not allowed to exceed 50.

Concentrator Calculation:
The amount of RAM in Gigabytes is rounded up and multiplied by 2 to calculate the number of open files. There is no maximum constraint.

Example:
SSH into an appliance and run the ' free -b' command.  The free command displays total physical memory of 33805520896 bytes in this example (i.e. 31.48 GB of RAM). The value of 31.48 is rounded up to 32, then multiplied by 2 to obtain 64. As 64 exceeds the value of 50, the number of open files is set to 50.

Notes

While the number of open files is calculated the first time the service runs, it can be re-calculating using a database reconfig in Explore mode in the SA UI.

Internal Comments

12/29/2014 -- Lee McCotter
It might be simpler to choose a different command which shows memory in GB rather then displaying in bytes and needing reader to rip out a Byte to Gigabyte calculator.

e.g. On a Series 2 appliance:
# vmstat -s -S M | head -n1
        16085 M total memory
Which is pretty much the interpreted version of:
# cat /proc/meminfo | head -n1
MemTotal:     16471548 kB

Looking at ' dmidecode --type memory' output, Series 4/SA appliances have 96 GB of RAM
Series 3 appliances have between 8 to 128 GB of RAM (depending on the model)

Also even if this KB is not intended to be public, it would be good to know where the multipliers came from (was it JIRA/email trail with CE). Notes(Internal)/Internal comment would really help us understand.

12/30/2014 -- Lee McCotter
Looking at the end result of 285 mentioned in JIRA SACE-2220, the calculation must really be using a rounding up calculation rather then actual RAM size (otherwise value would be 96 x 3 = 288 rather then 95 x 3 = 285

Product Details

RSA Product Set: Security Analytics
RSA Product/Service Type: Decoder, Log Decoder, Concentrator, Hybrid, All-in-One
RSA Version/Condition: 10.4.0.0, 10.4.0.1, 10.4.0.2

Approval Reviewer Queue

Technical approval queue