2. Subscription Policies


Subscription Policies allow you to ensure consistent configuration of WEC settings across multiple subscriptions (even on different collectors and domains) similar to how Group Policy works in Windows.

Most WEC subscription settings are not directly accessible when you edit a subscription. Instead they are managed by the Subscription Policy assigned to that subscription. You can create and edit Subscription Policies via Settings on the main navbar. Supercharger comes with 2 pre-built subscription policies:

  • Discovered Subscriptions Policy – This is read only policy automatically assigned whenever Supercharger discovers a subscription created outside of WEC. “Enforce WEC settings” is always unchecked on this policy which means that Supercharger makes no Subscription Policy based changes to discovered subscriptions unless you explicitly assign a different policy to the subscription. Other settings like Pruning Old WEC Sources is disabled as well. Basically, Discovered Subscriptions are treated as hands-off by Supercharger until you assign another policy. Health Assessment Basis is Deterministic (for more information see Forwarder Analysis).
  • Default Subscription Policy -  This is the system-wide default subscription policy. Other policies you create start out with all settings simply pointing to this policy. This allows you to “configure by exception”. Use this default policy for all your general settings that should apply to most subscriptions. Then create additional policies for those subscriptions requiring an exception and then only configure those settings that actually need to be different.

Normally, most settings will be left configured to the default settings shown below:

  • Forwarder Analysis
    • Health Assessment Basis - This setting allows you to change the way Supercharger will analyze forwarders that use this subscription policy.  In addition to WEC settings, Subscription Policies also are where you configure health analysis for subscriptions. The health status of a subscription is really all about its forwarders (aka “sources” in WEC) which is described under Forwarder Analysis.
    • Min Percentage Healthy - This setting is a numerical value 0 through 100.  It specifies what health percentage level must be reached when comparing Problem Forwarders to Healthy Forwarders in order for the subscription icon to display green in Supercharger's dashboard.
    • Arbitrary Forwarder Qty - This is the expected forwarder quantity if the Health Assessment Basis setting is set to Arbitrary.  For more information read the "Arbitrary" section under Forwarder Analysis.
    • Days Till Dormant - This specifies how many days pass until a forwarder is listed as Dormant in the Current Forwarders tab of the subscription.
    • Prune WEC Sources - This setting can be enabled or disabled.  The "Days Since Last Heartbeat" can also be set here.  To learn what this setting does please read the Pruning Old WEC Sources KB article.
  • WEC Settings
    • Enforce Wec Settings - Enabling this setting allows Supercharger to make Subscription Policy changes based on discovered subscriptions.
    • Configuration Mode - This is a WEC setting which specifies how to optimize the delivery of collected events.
      • Normal - This option does not conserve bandwidth.  When Normal is selected events are delivered by being pulled 5 items at a time with timeout of 15 minutes.
      • Custom - This setting enables the Heartbeat Interval, Delivery Max Latency Time and Delivery Max Items settings in the box below this setting.
      • MinBandWidth - This option conserves bandwidth.  A push delivery method is used with both a timeout and heartbeat interval of 6 hours.
      • MinLatency - This option is the fastest delivery option for events.  It pushes events every 30 seconds.  This options is recommended for most environments but especially where high priority events are being collected.
    • Custom Configuration Mode Settings
      • Heartbeat Interval - Default value is 3,600,000 milliseconds or 60 minutes. The heartbeat interval specifies how often a forwarder checks in to report that it is active and healthy but has no events to send.
      • Delivery Max Latency Time - Default value is 900,000 milliseconds or 15 minutes. This setting configures how long a forwarder will keep an event before it sends it to the collector.
      • Delivery Max Items - Default value is 50,000 items.  This setting specifies how many events are batched together before being sent to the collector.
        • For example, the default values listed above would create a situation where either 50,000 events are available to send or 15 minutes is reached.  Which ever value is reached first will cause the events to be send from the forwarder to the collector.
    • Other WEC Settings
      • Ignore No Heartbeat (Hrs) - This setting specifies how many hours can pass until a forwarder is considered Ignored.
      • Content Format - Default and recommended value is RenderedText. This setting specifies how events are formatted.  
      • Locale - This setting is a language/country culture identifier.
      • Read Existing Events - If turned on, when forwarders subscribe to the subscription, they will send all matching existing events to the collector.

