This tab enables you to look back in time for security issues. You can set rolling *flow capture and replay period of time, and store *flows in memory or on disk.
Press to start capturing flow records. Press button to send recorded flow records in syslog or JSON format to your SIEM to gain complete visibility of past network traffic. Press to stop recording.
The service has the following parameters:
Rolling Time Interval
Rolling time period for continues recording of flow records. You can specify a time unit after a time value 'X', such as Xd, Xh, Xm, or Xs to represent days (d), hours (h), minutes (m), and seconds(s) respectively. (e.g. 10d 8h 30m 30s). Default 10 minutes
Record in memory or disk (0 - Memory, 1 - Disk)
You have an option to keep recorded flow records in memory or on disk
Path to disk directory
If you selected disk option above, set the path to directory where flow records will be recorded. Default is ../../logs/replay
Disk recorder buffer size, bytes
The size of the memory buffer block for flow records to be accumulated before written to disk. Default is 4MB (4194304 bytes)
Disk recorder threads
The number of processor threads reserved for writing data to disk. Default is 2
Disk recorder queue, records
Size of the buffer to hold records in queue in case of peaks in incoming flow records. Default is 10,000
Disk file chunk size, messages
File rotation size in number of messages. Default is 10,000 (*)
Disk file rotation period, msec
File rotation time interval in msec. Default is 1 sec (*)
Exporter IPs to record watchlist
If you want to limit capture and replay to a number of NetFlow exporters, you can specify their IP addresses here
(*) The file is closed when the specified number records (chunk size) is written or file rotation time elapses, whichever comes first.