Enabling and disabling outliers detection on an Aggregator

Enable, disable, and configure outliers detection on an Aggregator to configure outliers detection on of all the aggregator's collectors.

Before you begin

  • It is strongly recommended that you enable outliers only on 64-bit aggregators with a minimum of 24 gigabytes of memory.

This feature is supported from Guardium V.10.1.2.

About this task

Restriction: Outliers detection and Data Level Security cannot be enabled concurrently.

When run on the aggregator, outliers detection data is extracted from the managed units and the learning and analysis phases happens on the aggregator.

Outliers detection is disabled by default. This procedure is run on a central manager, to enable or disable outliers detection on all collectors that send their data to the specified aggregator, except a collector that is running outliers detection locally. (For more details on local collection, see Enabling and disabling outliers detection locally on a Collector).

If a collector has moved from one aggregator to another, or if you want to enable outliers detection locally on a collector, disable the outliers detection on the aggregator, enable outliers detection locally if relevant, and then enable outliers detection on the aggregator. Whenever you enable outliers detection on the aggregator, it refreshes the list of the its collectors.

Procedure

  1. Log in to the central manager as a user or administrator with the CLI role.
  2. To enable the outliers detection function, enter: 
    grdapi enable_outliers_detection_agg schedule_interval=1 schedule_units=HOUR aggregator_host_name=<aggregator host name> DAM_FAM=DAM
    where:

    • aggregator_host_name parameter is the host name of the aggregator

    • FAM_DAM is an optional parameter specifying the type of outliers. The default is DAM.

  3. To disable the outliers detection function, enter: 
    grdapi disable_outliers_detection_agg aggregator_host_name=<aggregator host name>
    where:

    • aggregator_host_name parameter is the fully qualified domain name of the aggregator

Results

The system starts collecting outlier data. Once the learning has completed (14 days), outliers data is available in the Investigation Dashboard (Interpreting data outliers in the investigation dashboard and Interpreting file activity outliers) and the Outlier Analytic List Report.

Parent topic: Outliers Detection
Related concepts:
Investigation Dashboard
Related information:
GuardAPI Outliers Detection Functions