Changing the spillover memory and disk usage settings
If you are using TLS over TCP to send log messages to IBM QRadar, IBM Disconnected Log Collector uses the configured memory and disk space to buffer log messages. You can change these values to meet your storage requirements for the hardware that you are using.
Disconnected Log Collector buffers events if there are more events than the configured events per second (EPS) rate or if Disconnected Log Collector is offline. Events are buffered in memory and, when the maximum is reached, the events are saved to spillover files on your hard disk.
The spilloverqueue.properties file specifies the memory settings in the following properties:
ecs-dlc_dlc_TCP_TO_QRADAR.capacity.in.mem
ecs-dlc_dlc_TCP_TO_QRADAR.total.memory.size.mb
Note: The value that is specified for
ecs-dlc_dlc_TCP_TO_QRADAR.capacity.in.mem
is
overridden by the following line in the
/opt/ibm/si/services/dlc/<version>.master.#####/eventgnosis/config
file:<parameter type="Number">50000</parameter> <!-- qMemCapacity -->
The spill file settings are defined by the following properties:
ecs-dlc_dlc_TCP_TO_QRADAR.max.files
ecs-dlc_dlc_TCP_TO_QRADAR.max.file.size.mb
The default values use 477 100 MB files.