I am using a Check Point OPSEC NG connector for this and are you talking about CPU or ESM transport multithreading ? and should there be a agent.default.properties file because its not there?
Hi Samal ,
Please add below parameter in agent.propertiy
What is ESM Manager version? It may be not able to ingest such high EPS. Though Check Point feed is well compressed usually (btw, check that you enabled field based aggregation) and should not be a problem.
For Check Point I would suggest the following field based aggregation settings:
Time Interval: 15s
Event Threshold: 1000
Field Names: name, message, transportProtocol, destinationAddress, destinationPort, sourceAddress, deviceAddress
Fields to Sum: bytesIn, bytesOut
Preserve Common Fields: Yes
Enables aggregation (in secs): Disabled
This is a tricky part since the last setting is not global and it does not affect field based aggregation.