TCP data input configuration fields

Xanadu IT Operations Management

Release

xanadu

ft:locale

en-US

ft:publication_title

Xanadu IT Operations Management

ft:clusterId

itom

bundleId

itom

workflow

Technology

TCP data input configuration fields

Release version: Xanadu

Updated August 1, 2024

2 minutes to read

Summarize

Summarized using AI

Summary of TCP data input configuration fields

This guide explains the configuration fields available when setting up a TCP data input in ServiceNow. It is designed to help you correctly configure the data input to stream log data securely and efficiently via a MID Server. Understanding these fields ensures proper log ingestion, management, and troubleshooting within your ServiceNow environment.

Show full answer Show less

Basic configuration

Name: Required field to specify a unique name for the TCP data input.
Description: Optional field to provide details about the data input.
Port: Required field to select a unique port on the MID Server for streaming logs. Ensure your security team opens this port.
MID Server: Required selection of a MID Server with log ingestion capability supporting basic authentication (note: MID Servers using mTLS are excluded). By default, up to 10 data inputs can stream to a single MID Server, adjustable via MID Server properties.
Service instance: Required field to bind the log data to a service instance. If none exists, create one, add configuration items (CIs), and set its status to Operational.

Read-only fields provide real-time status and diagnostics, including:

Status of the data input
Transport protocol used (TCP)
Number of log sources created
Time when data input was disabled
Last log reception time
Error messages for streaming issues (auto-populated)

Advanced configuration

These optional settings allow fine-tuning of the TCP data input:

Use SSL/TLS: Enable secure transmission.
Look up hostnames: Perform DNS lookups to resolve IP addresses to hostnames (default: false).
Boss thread count: Number of threads managing connections (default: 1).
Worker thread count: Number of threads processing incoming data (default: 4).
Read timeout seconds: Duration before closing idle connections (default: 30 seconds).
Default timezone: Time zone used if logs lack timestamps (default: GMT).
Sub sample drop and receive ratios: Control event sampling rates (default: -1, meaning no sampling).
Max length in bytes: Maximum size allowed for log messages (default: 32766 bytes).
Character encoding: Encoding format for incoming data (default: UTF-8).
Drop if queue is full: Option to discard logs when MID Server load is high.
Line breaker delimiters: Characters defining line breaks in raw log data; multiple delimiters must be comma and space separated (e.g., "\r, \n, , splitHere, #").

Practical considerations

When configuring TCP data inputs, ensure that the chosen port is unique and approved by your security team, and that MID Servers selected support the required authentication method. Adjust thread counts and timeouts based on expected log volume and performance requirements. Properly setting the service instance ensures logs are correctly linked to operational assets. Use advanced options to optimize data ingestion reliability and integrity.

Description of the fields on the TCP data input configuration form.

Basic configuration


Field	Description
Name	Name of the new data input. This field is required.
Description	Description of the data input.
Port	The port for the MID Server. Select a unique port from the array. The placeholder shows the range of ports from which to choose. Make sure that your organization’s security team opens the selected port. This field is required.
MID	The MID Server to which the logs are streamed. Note: You can select only MID Servers with log ingestion capability that support basic authentication. MID Servers that support mTLS are not listed. The default maximum number of data inputs streaming logs to a single MID Server is 10. You can modify this number in the MID Server properties. This field is required.
Service instance	The service instance to which to bind the log data. This field is required. Note: If no relevant service instance exists, Create an service instance and add CIs to it. Set the status of the new service instance to Operational.

The following fields show read-only information:


Field	Description
Status	Status of the data input.
Transport	Protocol used to send the log data. Rsyslog and Splunk send data using the TCP protocol.
Sources count	The number of log sources this data input has created.
Disabled since	The time when the data input stopped or failed.
Last log time	The time when the last log streamed in the data input.
Error message	The streaming error. This field is populated automatically. It displays only when a streaming error has occurred.

Advanced configuration

Table 1. Advanced configuration form
Field	Description	Default value
Use SSL/TLS	Option for selecting to use SSL/TLS.
Look up hostnames	Option for selecting to perform DNS lookup to resolve IPs to hostnames.	false
Boss thread count	The number of threads that manage connections.	1
Worker thread count	The number of threads that handle incoming data.	4
Read timeout seconds	The timeout in seconds since the last read. When the timeout expires, the system closes the channel.	30
Default timezone	The default time zone of events. The system uses this default when the log does not specify a time zone.	GMT
Sub sample drop ratio	The ratio of events to drop.	-1
Sub sample receive ratio	The ratio of events to receive.	-1
Max length in bytes	The maximum length of log messages in bytes.	32766
Character encoding	The character encoding for this data input.	UTF-8
Drop if queue is full	Option for selecting to discard logs if there is a load on the MID Server.
Line breaker delimiters	The line break character separating the raw log lines. Splitting values must be separated by a comma followed by a space: ", ". For example: "\r, \n, , splitHere, #".