Sentinel automatically configures the Elasticsearch settings described in the table below. You can customize the Elasticsearch settings as needed.
To customize the default settings:
For traditional storage: Open the /etc/opt/novell/sentinel/config/elasticsearch-index.properties file and update the properties listed in the table as required.
For scalable storage: In the SSDM home page, click Storage > Scalable Storage > Advanced Properties > Elasticsearch.
Table 12-1 Elasticsearch Properties
|
Property |
Default Value |
Notes |
|---|---|---|
|
elasticsearch.events.lucenefilter (Optional) |
|
Specify a filter to send only specific events to Elasticsearch for indexing.For example: If you specify the value as sev:[3-5], events with severity value only between 3 and 5 are sent to Elasticsearch. |
|
index.fields |
id,dt,rv171,msg,ei,evt,xdastaxname,xdasoutcomename,sev,vul,rv32,rv39,rv159,dhn,dip,rv98,dp,fn,rv199,dun,tufname,rv84,rv158,shn,sip,rv76,sun,iufname,sp,iudep,rv198,rv62,st,tid,srcgeo,destgeo,obsgeo,rv145,estz,estzmonth,estzdiy,estzdim,estzdiw,estzhour,estzmin,rv24,tudep,pn,xdasclass,xdasid,xdasreg,xdasprov,iuident,tuident |
Indicates the event fields that you want Elasticsearch to index. |
|
es.num.shards |
5 |
Indicates the number of primary shards per index. You can increase this default value when the shard size goes beyond 50 GB. |
|
es.num.replicas |
1 |
Indicates the number of replica shards that each primary shard should have. A minimum of 2 node cluster is recommended considering failover and high availability. |