15.2.5. Procedure – Configuring the external indexer

Purpose: 

In order to connect to PSM and index the audit trails, you must configure the external indexer. Complete the following steps.

Warning

Unless you know exactly what you are doing, modify only the parameters you are instructed to.

Steps: 

  1. Login to the PSM web interface, and navigate to Basic Settings > Local Services > Indexer service.

  2. Export the configuration file for the external indexer: click Export. (Note that the Export button is displayed only after the configuration to enable PSM to use remote indexers has been committed.)

    The configuration file contains the listening address (IP and port) of PSM, the OCR license, and the necessary keys for SSL authentication.

    Upload the file to the host of the external indexer.

  3. On the external indexer host, import the configuration file with the following command:

    indexer-box-config <configuration-file>.config
  4. Configure the external indexer service: open the /opt/external-indexer/etc/indexer/indexerworker.cfg configuration file for editing.

  5. To edit the number of worker groups assigned to a certain worker process type, find the worker_groups line.

    A worker group has the following parameters:

    • name: the name of the worker group

    • count: the number of worker threads to use for processing

    • capabilities: the type of job(s) this process will perform (index, screenshot, video)

    Make sure that the sum value of the workers are equal to the number of CPU cores in the host (or the number of CPU cores minus one if you want to save resources for other tasks).

    Balabit recommends using dedicated hosts for external indexing. If the host is not dedicated exclusively to the external indexer, decrease the number of workers accordingly.

  6. Optional step: to fine-tune performance, you can configure the number of OCR threads each worker can initiate using the ocr_thread_count key.

    The default setting is 3. When configuring this setting, pay attention to the available CPU cores, as raising the number of possible threads too high can impact performance negatively.

  7. Optional step: if instructed by Balabit Support, configure the OCR engine.

    Find the engine key, and change its value to one of the following options:

    • omnipage-external is the default setting. It provides the best performance and stability by allowing workers to initiate multiple OCR threads.

      This setting also allows you to search for images where OCR could not be performed. On the search UI of PSM enter the OOCCRRCCRRAASSHH search string to list all such images. If possible, contact the Balabit Support Team, so we can continue improving the engine.

      Note that multiple OCR threads can only speed up processing graphical protocols (RDP, VNC and ICA trails), and do not affect the processing speed for terminal-based protocols (telnet and SSH).

    • omnipage only supports one OCR thread per worker.

      If you have to use this option, make sure to also set the ocr_thread_count to 0.

    • tesseract is an alternative engine, provided for troubleshooting purposes only.

  8. Save your changes. To continue with uploading decryption keys (for indexing encrypted audit trails), see Procedure 15.2.6, Uploading decryption keys to the external indexer.

    To start the indexer service, see Procedure 15.2.8, Starting the external indexer.