Configuring context details generated by agents

Context details are all the logs that the agent produced in an attack perimeter, including those that do not usually appear in the administration console. For example, even logs that remained local on the agent or that were sent to a syslog server are shown in the context details. For further information, refer to the section Analyzing contexts to understand attacks.

You can configure the size of such contexts, the maximum age of their logs and how they are sent to the agent handler.

1. In an agent group’s Status and logs tab, go to the Context section.
2. Define the Size limit of a context, which is 500 KB by default. This is the estimated size of data going through the network. If network connections are restricted between agents and the agent handler, reduce this size. Conversely, if you added highly verbose sets of audit rules, increase this size to ensure that you retrieve enough useful logs.
3. Define the Oldest logs. The default value is 10 minutes because most attacks happen quickly, but you can adjust it according to your preferences.
4. Choose how Context detail reporting takes place from the agent to the agent handler. Reporting can be:
   • Immediate: context logs are sent to the agent handler at the same time as the alert, and can be seen immediately in the administration console.
   • Postponed: context logs are sent to the agent handler at a Frequency that can be defined, the default value being every hour. If you analyze attacks only once daily, increase this frequency to every two or three hours to avoid network congestion.
   • On demand: context logs will not be sent to the agent handler automatically. You can download all this data manually when you intend to analyze an attack. For further information, refer to the section Analyzing contexts to understand attacks.
5. Save your changes.