Configure trace

Trace size and timeout

A trace is a sequence of packets saved to the disk in the PCAP file format. The number of packets in a trace is fixed, this way when a trace of N packets is triggered Guardian starts to write to disk the N/2 packets that were sniffed before the trace was triggered, after that it tries to save another N/2 packets and then finalize the write operation, at this point the trace can be downloaded. To avoid a trace being pending for too much time there is also a timeout, when the time expires the trace is saved also if the desired number of packets has not been reached.

Trace files are stored in directory /data/traces, which employs disk based storage. In order to improve performance though, in machines with larger memory configurations this directory is backed by RAM based storage.

Figure 1. A schematic illustration of the trace saving process


Set max trace packets

Product Guardian
Syntax conf.user configure trace trace_size <size>
Description The maximum number of packets that will be stored in the trace file.
Parameters size: Default value 5000
Where CLI
To apply It is applied automatically

Set trace request timeout

Product Guardian
Syntax conf.user configure trace trace_request_timeout <seconds>
Description The time in seconds after which the trace will be finalized also if the trace_size parameter is not fulfilled
Parameters seconds: Default value 60
Where CLI
To apply It is applied automatically

Set max pcaps to retain

Product Guardian
Syntax conf.user configure trace max_pcaps_to_retain <value>
Description The maximum number of PCAP files to keep on disk, when this number is exceeded the oldest traces will be deleted. Both automatic alert traces and user-requested traces are included. This is a runtime machine setting used for self protection prevailing on the retention settings as described in the Configuring retention section
Parameters value: Default value 100000
Where CLI
To apply It is applied automatically

Set minimum free disk percentage

Product Guardian
Syntax conf.user configure trace min_disk_free <percent>
Description The minimum percentage of disk free under which the oldest traces will be deleted. If the traces directory is memory backed, this configuration cannot be overridden and the default value will always be used.
Parameters percent: Default value 10 if traces storage is disk backed, 5 if memory backed. Enter without % sign
Where CLI
To apply It is applied automatically

Set maximum occupied space

Product Guardian
Syntax conf.user configure retention trace_request occupied_space <max_occupied_bytes>
Description The maximum traces occupation on disk in bytes. If the traces directory is memory backed, this configuration cannot be overridden and the default value will always be used.
Parameters max_occupied_bytes: Default value is half of disk size if traces storage is disk backed, 95% of available space if memory backed
Where CLI
To apply It is applied automatically