Keep

Filter

Truncate

Index

Transient

Remove

Packet-based analysis is required for viewing log and session data

Packet-based analysis is based on metadata capture reduced to packets

Packet-based analysis can be accomplished with common tools such as Wireshark

Packet-based analysis is accomplished using the table-map xml file

Transient means the Decoder is using the parser to parse traffic, and the generated metadata is not stored on disk

Transient means the Decoder is using the parser to parse traffic, and the generated metadata is retained on disk for 24 hours

Transient means the Decoder is using the parser only to filter out data, not to generate metadata

Transient means the Decoder is using the parser only for ESA

Writes the log to the Archiver but not the Decoder

Parses the log to the Decoder, but in transient mode only

Adds the new Event Source to the existing list of Event Sources

Ignores the log altogether

Default Dashboard

MONITOR > Reports > Manage > Charts

MONITOR > Reports > Charts > View

CONFIGURE > ESA Rules

Packet Decoder only

Packet Decoder and Log Decoder

Packet Decoder and Log Decoder and Concentrator

Packet Decoder and Log Decoder and Concentrator and Broker

Feeds. Network Rules. LUA Parsers. Application Rules. BPF

Feeds. Network Rules. BPF. Application Rules, LUA Parsers

Network Rules. Feeds. Application Rules. BPF, LUA Parsers

BPF. Network Rules. LUA Parsers. Feeds. Application Rules