Configuring system settings

System settings specify how your IBM QRadar system components are configured for normal operation.

Procedure

  1. On the navigation menu ( Navigation menu icon ), click Admin.
  2. In the System Configuration section, click System Settings.
  3. Configure the system settings.
    Table 1.
    Setting Description
    System Settings
    Administrative Email Address Enter the email address of the designated system administrator. The default email address is root@localhost
    Alert Email From Address Enter the email address from which to receive email alerts. This address is displayed in the From field of the email alerts. A valid address is required by most email servers.
    Email Locale Select the locale to use for system alert email messages and language preference. The default setting is English.
    Max Email Attachment Size (KB) Enter the maximum email attachment size. Some exports and reports can send large files by email. The default setting is 15,360.
    Delete Root Mail Select Yes to delete root mail. Root mail is the default location for host context messages. The default setting is Yes.
    Temporary Files Retention Period Select the length of time for the system to retain temporary files. The default storage location for temporary files is the /store/tmp directory. The default setting is 6 hours.
    Coalescing Events Select Yes to enable log sources to coalesce, or bundle, events. The default setting is Yes.

    This setting applies to all new log sources that you add. For log sources that you previously added or to change an individual log source, you must edit the Coalescing Event parameter in the log source configuration.
    Store Event Payload Select Yes to enable log sources to store event payload information. The default setting is Yes.

    This value applies to all log sources. However, if you want to alter this value for a specific log source, edit the Event Payload parameter in the log source configuration. For more information, see the Log Sources User Guide.
    Global Iptables Access (comma separated) Enter a comma-separated list of IP addresses to enable direct access to multiple systems. The IP addresses are for non-console systems that do not have iptables configuration.
    Syslog Event Timeout (minutes) Enter the amount of time, in minutes, before the status of a syslog device is recorded as an error if no events are received within the timeout period. The status is displayed on the Log Sources window. The default setting is 720.
    Partition Testers Timeout (seconds) Enter the amount of time, in seconds, for a partition test to perform before a timeout occurs. The default setting is 30.
    Max UDP Syslog Payload Length Enter the maximum payload length, in characters, which are displayed for UDP syslogs. The default setting is 1,024.
    Max TCP Syslog Payload Length Enter the maximum payload length, in characters, which are displayed for TCP syslogs. The default setting is 4,096.
    Max Number of TCP Syslog Connections Enter the maximum number of Transmission Control Protocol (TCP) syslog connections to allow on your system. The default setting is 2,500.
    Max TCP Syslog Connections Per Host Enter the maximum number of TCP syslog connections to allow per host. The default setting is 10.
    Timeout for Idle TCP Syslog Connections (seconds) Enter the amount of time, in seconds, that an idle TCP syslog connection is maintained. The default setting is 900.
    Log and Network Activity Data Export Temporary Directory Enter the location where offense, event, and flow exports are stored. The default location is /store/exports.
    Display Country/Region Flags Select Yes to enable available geographic information for an IP address to be visually indicated by a flag. The default setting is Yes.
    Display Embedded Maps in IP Address Tooltips Select Yes to enable available geographic information for an IP address to be indicated on a map when you hover over the IP address. The default setting is Yes.
    Enable X-Force Threat Intelligence Feed Select No to turn off the server that receives threat intelligence information from IBM X-Force Exchange. The default setting is Yes.

    You cannot disable the feed if your system has X-Force rules that are enabled, or if you have saved searches that use the X-Force rules.
    Minimum Permitted App Base Image Stream Select the minimum permitted base image stream for installing or upgrading applications. The default setting is v2 on a fresh install and v1 on upgrade.
    Warning: Selecting a new minimum base image version stops the application instances that are associated with the previous base image version. For example, if you select v3, then all the applications that are associated to v2 will be stopped.
    Host Profile Reporting Interval Enter the interval, in seconds, that the database stores new asset profile information. When you increase this value, also increase the Asset Profiler Interval Counter; otherwise, false positives might appear. The default setting is 900.
    Host Profiler Reporting Interval Counter Enter the time, in minutes, for the counter to reach the reporting interval. The counter increases by one each minute if an open service exists on a port. After the reporting interval is reached, the counter resets to zero. When the counter is reached, an open port record is created for the asset. The default setting is 15.
    Database Settings
    User Data Files Enter the location of the user profiles. The default location is /store/users
    Accumulator Retention - Minute-by-Minute Every 60 seconds, the data is aggregated into a single data set. The default setting is 1 week.
    Accumulator Retention - Hourly At the end of every hour, the minute-by minute data sets are aggregated into a single hourly data set. The default setting is 33 days.
    Accumulator Retention - Daily At the end of every day, the hourly data sets are aggregated into a single daily data set. The default setting is 1 year.
    Payload Index Retention Select the amount of time that event and flow payload indexes are stored. The default setting is 30 days.
    Offense Retention Period Select the amount of time that closed offense information is kept. The default setting is 30 days. The minimum is one day and the maximum is two years. After the offense retention period elapses, closed offenses are purged from the database.

    Offenses can be retained indefinitely if they are not closed or inactive, and they are still receiving events. The magistrate automatically marks an offense as inactive if the offense does not receive an event for 5 days. This 5-day period is known as the dormant time. If an event is received during the dormant time, the dormant time is reset back to zero. When an offense is closed either by you (Closed) or the magistrate (Inactive), the Offense Retention Period setting is applied.
    Attacker Retention Period Select the amount of time that the attacker history is stored. The attacker is typically the source IP address of an offense. The default setting is 30 days.
    Target Retention Period Select the amount of time that the target history is stored. The attacker is typically the destination IP address of an offense. The default setting is 30 days.
    Ariel Database Settings
    Flow Data Storage Location Enter the location of the stored flow log information. The default location is /store/ariel/flows
    Log Data Storage Location Enter the location of the stored log source information. The default location is /store/ariel/events
    Search Results Retention Period Select the amount of time for the system to store search results. The default setting is 1 day.
    User Readable Audit Log Messages for Searches Select True to enable comprehensible search audit logging. Search criteria audit information is displayed in a readable format. AQL searches are always displayed. The default setting is True.
    Command Line Max Matched Results Enter the maximum number of results for the AQL command line to return. The default setting is 0.
    Web Execution Time Limit Enter the maximum amount of time, in seconds, for a query to process before a timeout occurs. The default setting is 600.
    Important: This setting is no longer used.
    Command Line Execution Time Limit Enter the maximum amount of time, in seconds, for a query to process on the AQL command line before a timeout occurs. The default setting is 0.
    Important: This setting is no longer used.
    Web Last Minute (Auto Refresh) Execution Time Limit Select the maximum amount of time, in seconds, for the Auto Refresh process to continue before a timeout occurs. The default setting is 10 seconds.
    Flow Log Hashing Select No to disable storing a hash file for every stored flow log file. The default setting is No.
    Event Log Hashing Select No to disable storing a hash file for every stored event log file. The default setting is No.
    Hashing Algorithm Select a hashing algorithm for database integrity. The system uses the following hashing algorithm types:
    • Message-Digest Hash Algorithm - Transforms digital signatures into shorter values called Message-Digests (MD).
    • Secure Hash Algorithm (SHA) Hash Algorithm - Standard algorithm that creates a larger (60 bit) MD.

    You cannot use deprecated algorithms when you enable or change hashing algorithms.

    Use only supported algorithms instead. If you are using deprecated algorithms, you can change them to newer and supported algorithms.

    If the HMAC Encryption parameter is disabled, the following options are available:

    • MD2 (deprecated) - Algorithm that is defined by RFC 1319.
    • MD5 (deprecated) - Algorithm that is defined by RFC 1321.
    • SHA-1 (deprecated) - Algorithm that is defined by Secure Hash Standard (SHS), NIST FIPS 180-1. This setting is the default.
    • SHA-256 - Algorithm that is defined by the draft Federal Information Processing Standard 180-2, SHS. SHA-256 is a 255-bit hash algorithm that is intended for 128 bits of security against security attacks.
    • SHA-384 - Algorithm that is defined by the draft Federal Information Processing Standard 180-2, SHS. SHA-384 is a bit hash algorithm, which is created by truncating the SHA-512 output.
    • SHA-512 - Algorithm that is defined by the draft Federal Information Processing Standard 180-2, SHS. SHA-512 is a bit hash algorithm that is intended to provide 256 bits of security.

    If the HMAC Encryption parameter is enabled, the following options are available:

    • HMAC-MD5 (deprecated) - An encryption method that is based on the MD5 hashing algorithm.
    • HMAC-SHA-1 (deprecated) - An encryption method that is based on the SHA-1 hashing algorithm.
    • HMAC-SHA-256 - An encryption method that is based on the SHA-256 hashing algorithm.
    • HMAC-SHA-384 - An encryption method that is based on the SHA-384 hashing algorithm.
    • HMAC-SHA-512 - An encryption method that is based on the SHA-512 hashing algorithm.
    The default setting is SHA-512 when the HMAC Encryption parameter is disabled.
    Custom Rule Settings
    Enable Performance Analysis Select False to disable cost performance analysis tracking for custom rules. The default setting is False.
    Reset Metrics on Rule Change Select True to enable the reset of the rule performance analysis metrics when a rule is modified. The default setting is True.
    Tip: To reset metrics on a rule, edit the rule, and then save it. The metrics are cleared for the rule that you modified.
    Performance Analysis Upper Limit Enter the upper threshold (in EPS or FPS) that is used to determine the performance bar value for a rule. If the throughput for a rule drops below this limit and is above the Performance Analysis Lower Limit, the performance is displayed as two orange bars. If the throughput for a rule is above this limit, the performance is displayed as three green bars. The default setting is 50,000.
    Performance Analysis Lower Limit Enter the lower threshold (in EPS or FPS) used to determine the performance bar value for a rule. If the throughput for a rule drops below this limit, the performance is displayed as one red bar. The default setting is 12,500.
    Transaction Sentry Settings
    Transaction Max Time Limit Select the length of time that the system checks for transactional issues in the database. The default setting is 10 minutes.

    A transaction sentry detects unresponsive applications that use transaction analysis. If an unresponsive application is detected, the transaction sentry attempts to return the application to a functional state.
    Resolve Transaction on Non-Encrypted Host Select Yes to enable the transaction sentry to resolve all error conditions that are detected on the Console or on non-encrypted managed hosts. The default setting is Yes.

    If you select No, the conditions are detected and logged but you must manually correct the error.

    Resolve Transaction on Encrypted Host Select Yes to enable the transaction sentry to resolve all error conditions that are detected on the Console or on the encrypted managed host. The default setting is Yes.

    If you select No, the conditions are detected and logged but you must manually correct the error.

    SNMP Settings
    SNMP Version Select the version of SNMP that you want to use. Disable this setting if you do not want SNMP responses to show in the custom rules engine. The default setting is Disabled.
    Embedded SNMP Daemon Settings
    Enabled Select No to disable access to data from the SNMP Agent that uses SNMP requests. The default setting is No.

    After you enable the embedded SNMP daemon, you must access the host that is specified in the Destination Host parameter and type qradar in the Username field. A password is not required. The location where you configure a destination host to communicate with the system can vary depending on the vendor host. For more information, see your vendor documentation.
    Daemon Port Enter the port to use for sending SNMP requests. The default setting is 8001.
    Community String Enter the SNMP community, such as public. This parameter applies only if you are using SNMPv2. The default setting is public.
    IP Access List (comma separated) Enter the systems that can access data from the SNMP agent that uses an SNMP request. If the Enabled option is set to Yes, this option is enforced.
    Managed SNMPv3 Users Select Yes to enable. QRadar manages a user in the SNMP configuration file that can be used for using snmpwalk.
    Username Name of the user to configure with SNMP Daemon.
    Permissions Permission group that configured user will have in the daemon. Options are Read Only or Read Write.
    Security Level Security level for SNMP. Options are AUTH_PRIV or AUTH_NOPRIV.
    Authentication Protocol Algorithm to use for the auth portion of the user in the SNMP Daemon. Options are MD5 or SHA.
    Authentication Password The Auth password of the user configured in the SNMP Daemon.
    Privacy Protocol Algorithm to use for the priv portion of the user in the SNMP Daemon. Options are AES and DES.
    Privacy Password The priv password of the user configured in the SNMP Daemon.
    Console Settings
    Results Per Page Enter the maximum number of results to display on the main console. The default setting is 40.

    This setting applies to the Offenses, Log Activity, Assets, Network Activity, and Reports tabs.
    Default Search Limit Enter the result limit when you perform a search. Leave the value blank to apply no result limit. The default setting is 1,000.
    Show Additional Release Information Select Yes to include the Additional Release Information in the product About window. The default setting is Yes.
    Remote Connection Error Tolerance Enter the number of errors to ignore before the user is alerted to a remote server call timeout. The default setting is 5.
    WINS Settings
    WINS Server Enter the location of the Windows Internet Naming Server.
    Reporting Settings
    Report Retention Period (in days) Enter the time, in days, for the system to maintain reports. The default setting is 30.
    Reporting Max Matched Results Enter the maximum number of results for a report to return. The default setting is 1,000,000.
    Reporting Execution Time Limit for Reports (seconds) Enter the maximum amount of time, in seconds, for a reporting query to process before a timeout occurs. The default setting is 7,200.
    Data Export Settings
    Include Header in CSV Export Select Yes to include a header in a CSV export file. The default setting is No.
    Maximum Simultaneous Exports Enter the maximum number of export files that you want to send at one time. The default setting is 1.
    QFlow Settings
    IPFIX Additional Field Encoding Select the format for flow sources. The default setting is TLV.

    For most deployments, select TLV.

    For deployments with legacy payload-based integrations, such as rules that use regex-based Custom Flow Properties, select TLV and Payload.
    Network Insights Settings
    Flow Inspection Level Select the level of visibility and content to be extracted. The default setting is Advanced.
    Maximum Raw Payload Size Enter the maximum size of the payload. The default size is 64 bytes, and the maximum size is 32,768 bytes.

    Large payload sizes can impact performance. Adjust the payload size in small increments, and monitor the disk capacity to ensure that it does not fill up quickly.
    Geographic Settings
    User ID Enter the MaxMind user ID. For free content without a MaxMind subscription, enter 999999. The default setting is 999999.
    License Key Enter the MaxMind license key. For free content without a MaxMind subscription, enter 000000000000. The default setting is 000000000000.
    Host Server Enter the hostname of the server where the map updates are stored. The default name is updates.maxmind.com
    Protocol Select the web protocol that you want to use. The default setting is HTTPS.
    Use Proxy Settings Defined in Auto Update Select True to download map updates through the proxy server that you configured in Auto Update Settings. The default setting is False.
    Skip Hostname Verification Select True to verify the HTTPS connection. The default setting is False.
    Country Selection Select the physical location of the server or the ISP registered location of the country. The default setting is Physical Location.
    Disable Automatic Content Updates Select True to disable automatic updates from MaxMind. The default setting is False.
    Frequency to check for geodata update Select the frequency that you want to check for updates to the MaxMind database. The default setting is Weekly.
    Allow geodata updates to perform a Full Deploy automatically Select True to automatically deploy geodata database updates to the server.
    Custom AQL Function Settings
    Allowlist for the Utils.http.invoke HTTP method Enter a comma separated list of hostname/port combinations to be allowed by the Allowlist for the Utils.http.invoke HTTP method in custom AQL functions.
    You can enter the hostname/port combinations in any of the following formats:
    • hostname:port
    • ip:port
    • hostname
    • ip
    Tip: To specify a single port to be allowed, append it to the hostname or IP address. For example, 127.0.0.1:49157
  4. Click Save.
  5. On the Admin tab, select Advanced > Deploy Full Configuration.
    Important: QRadar continues to collect events when you deploy the full configuration. When the event collection service must restart, QRadar does not restart it automatically. A message displays that gives you the option to cancel the deployment and restart the service at a more convenient time.