Host Intrusion Detection System Administrator's Guide Release 3.0
The Agent Configuration File
Data Source Process Configuration
Appendix E
217
Data Source Process Configuration
There is a configuration entry for each data source process. Each entry is surrounded by
[DSP] and [END] tags.
The first entry, for the system log DSP which monitors various system log files, has no
modifiable parameters. The second entry is for the kernel audit data DSP.
CAUTION Do not edit any variables in the system log DSP section (between [DSP] NAME
idskernDSP and its [END] tag).
Kernel Audit Data DSP
In the section beginning with
[DSP]
NAME idskernDSP
only the parameters in Table E-2 may be edited.
CAUTION Do not edit any other variables between [DSP] NAME idskernDSP and its [END] tag.
They are defined as follows:
DROP_NOTIFY_INTERVAL
The number of minutes that the kernel DSP will wait before sending
another status message that either audit records are still being
dropped (due to heavy load) or are no longer being dropped because
IDS has caught up with the system call audit stream. When audit
records are first dropped, the kernel DSP will send a “dropping audit
records” message to the main idsagent process. After
DROP_NOTIFY_INTERVAL minutes have elapsed and if audit records are
still being dropped, the kernel DSP will send a “dropping audit
records” reminder message; otherwise, it will send a “no longer
dropping audit records” message. The default value is 60 (minutes).
IDDS_MODE
Table E-2 DSP idskernDSP Parameters
Name Default Value
DROP_NOTIFY_INTERVAL 60 (minutes)
IDDS_MODE 3
LOW_WATERMARK 50 (percent)