Configuring the Event Processor service

Kaspersky MLAD uses the Event Processor service to identify patterns and anomalous sequences of events and patterns. You can configure the settings of the Event Processor service.

If Kaspersky MLAD is restarted, you do not need to re-configure the Event Processor service settings. Kaspersky MLAD restores the Event Processor service state from the database or file in bit format. This restoration process may take several minutes if there is a significantly large number of processed events or registered patterns. Until the state of the Event Processor service is restored in the Event Processor section, requests will not be fulfilled, data will not be updated, and data received from the CEF Connector will not be processed. This data is temporarily stored in the system message queue and is processed after the state of the Event Processor service is restored.

The Event Processor service may require a large amount of RAM on the server where Kaspersky MLAD is installed. The amount of RAM usage depends on the rate of the event stream and the volume of events history that is processed. The specific configuration of the Event Processor service also has an effect on the amount of RAM usage.

System administrators can configure the Event Processor service.

To configure the Event Processor service:

1. In the lower-left corner of the page, click the  button.

   You will be taken to the administrator menu.

2. Select System parameters → Event Processor.

   A list of service settings appears on the right.

3. In the Online mode section, do the following:
   1. Using the Browse button under the setting Event processor configuration file field, add the file containing the configuration settings for the Event Processor service.

      The Configuration file is created by a qualified technical specialist of the Customer, a Kaspersky Lab employee or a certified integrator.

      To delete the configuration file for the Event Processor service, click Clear (). To save the configuration file on your computer, click the Download icon ().

      Changing the configuration file of the Event Processor service results in a complete loss of the service's data.

   2. If you need to process incidents registered by the Anomaly Detector service, turn on the Process incidents as events toggle switch.
   3. In the Maximum number of network layers field, specify the number of layers of the semantic neural network that will be used.

      The default number of network layers for event data that is based on a specific structure is ten layers. In most cases, ten layers are enough for the hierarchical presentation of data in the semantic neural network at the core of the Event Processor. To identify patterns of periodic processes that span an extended period of time, you may need to increase the value of the Maximum number of network layers parameter.

   4. In the Coefficient defining the permitted dispersion of the pattern duration field, specify the coefficient used to determine the permissible dispersion of intervals between elements in the same pattern.

      If the actual dispersion value is less than or equal to one that is specified, the identified sequences of events will be registered as one pattern.

   5. In the Interval for receiving batch events (sec.) field, specify the time interval (in seconds) for which the Event Processor service forms an episode from incoming events received for processing.

      If the rate of incoming events is approximately 1000 events per second, it is recommended to indicate this value as the interval for receiving new events so that you receive a number of events close to the value indicated in the Batch size in online mode (number of events) field during the specified period. If the rate of incoming events is a lot lower than this value, you should adjust the interval for receiving new events to ensure an optimal frequency of event processing.

   6. In the Batch size in online mode (number of events) field, specify the maximum number of events per episode to be subsequently processed by the Event Processor service.

      If the rate of incoming events is approximately 1000 events per second, it is recommended to indicate a value equal to 4096 in this field.

   7. In the Method of saving the state of the Event Processor service drop-down list, select one of the following options for saving the Event Processor service state:
      • Database table – Kaspersky MLAD saves the results from processing each episode in the database table.
      • File in bit format – Kaspersky MLAD saves the state of the Event Processor service according to the frequency defined in the Component backup frequency field. The application saves the state of the service to the file specified in the File containing a backup copy of the component state field.

        Saving the Event Processor service state to a file in bit format is recommended for debugging and configuring the application settings by Kaspersky employees during the deployment of Kaspersky MLAD.

      By default, the Event Processor service saves the results of event stream processing in a database table.

      Changing the way of saving the Event Processor service state results in a complete loss of the service's data.

   8. If you select to store the Event Processor service state in a file in bit format, in the Component backup frequency field, specify how often (in days, hours, and minutes) to perform a backup of the Event Processor service.
   9. If you chose to store the status of the Event Processor service as a bitmap file, add the file that contains a backup copy of the Event Processor service via the Browse button under the File containing a backup copy of the component state setting.

      This file will be used if you ever need to restore the state of the Event Processor service. The state of the Event Processor service can be restored by Kaspersky experts as part of their extended technical support.

      To delete the file containing a backup copy of the Event Processor service, click Clear (). To save the file containing a backup copy of the service on your computer, click the Download () icon.

4. In the Sleep mode section, do the following:
   1. In the Batch size in sleep mode (number of events) field, specify the number of events for forming an episode in sleep mode.

      The Event Processor service generates episodes based on the history of events received for reprocessing during the time interval specified in the Events history interval for processing in sleep mode field.

   2. In the Send alerts when the monitor is activated in sleep mode field, select one of the following values:
      • Send alerts when the monitor is activated by any pattern – Kaspersky MLAD sends alerts when the monitor is activated in the sleep mode if the patterns are detected in accordance with the specified monitoring criteria. The number of monitor activations is refreshed in the Event Processor section on the Monitoring tab.
      • Do not send alerts when the monitor is activated – Kaspersky MLAD does not send alerts when the monitor is activated in the sleep mode.
      • Send alerts when the monitor is activated by a new pattern – Kaspersky MLAD sends alerts when the monitor is activated in the sleep mode if new patterns are detected in accordance with the specified monitoring criteria. The number of monitor activations is refreshed in the Event Processor section on the Monitoring tab.
      • Send alerts when the monitor is activated by a previously registered pattern – Kaspersky MLAD sends alerts when the monitor is activated in the sleep mode if stable patterns are detected in accordance with the specified monitoring criteria. The number of monitor activations is refreshed in the Event Processor section on the Monitoring tab.
   3. In the Sleep mode frequency field, specify how often (in days) and at what time (according to the UTC standard) the Event Processor service goes to the sleep mode to reprocess events.

      It is recommended to specify the time when the event stream is the least intensive as the start time for the sleep mode.

      If the specified sleep time has not yet come on the current day, the Event Processor will go to the sleep mode on that day. If the sleep time has already been missed on the current day, the Event Processor will go to the sleep mode at the specified time after the specified number of days.

   4. In the Sleep mode duration (HH:MM) field, specify the time period (in hours and minutes) during which the Event Processor service processes events in the sleep mode.
   5. In the Events history interval for processing in sleep mode field, specify the time interval (in days, hours, and minutes) during which the analyzed events must be forwarded for reprocessing in the sleep mode to the Event Processor service.
5. Click the Save button.