Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[STRM/JSA] How to disable Coalescing

0

0

Article ID: KB35064 KB Last Updated: 21 Sep 2019Version: 1.0
Summary:

Coalescing is used to reduce data that is processed by the event pipeline. As data comes in and is coalesced, a large burst of events can include hundreds of thousands of events which can be converted into only a few dozen records. This action is done while JSA maintains the count of the number of actual events. Coalescing gives JSA the ability to detect, enumerate, and track an attack on a huge scale. It also protects the performance of the pipeline by reducing the workload of the system, including storage requirements for those events.

Symptoms:

One limitation of coalescing occurs when data is being normalized. The first event in the coalesced record, which is used as the base record, is the only one that is kept in its entirety, including the payload. You can disable coalescing for devices and log sources that are used to track audit and compliance requirements in your environment. Examples of these kinds of devices might be custom applications, any customer-facing services, critical assets, or other important devices.

Cause:

Default design.

Solution:

If you need to disable coalescing for auditing, to keep payloads for every event, or for some other purposes, it can be done either at the system level, or per log source basis.

System Level Disabling:

  1. On the Admin tab, click the System Settings icon.
  2. Click Advanced.
  3. Under the System Settings heading, find the Coalescing Events setting.
  4. To disable Coalescing Events for all log sources, select No.
  5. Click Save, and close the window.
  6. From the Admin tab click Deploy Changes.

    ‚Äč

Log Source Level Disabling:

This can be done at log source creation or later by editing the log source as described below.

  1. from the Admin tab, under the Data Sources, then Events headings, click the Log Sources icon.
  2. Double click the row containing the log source that you would like to edit.
  3. Clear the Coalescing Events check box.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search