we are in the process of replacing the following hardware within our SIEM environment because they are going to become end of life end of this year.
The appliance are: ERC, APM, ACE, DSM
My question is, what is the process that needs to be followed to replace these appliances without losing data or configuration that is store on these appliance? This is going to be one for one swap but the new appliance will have a new hardware (Gen 4). The appliance we are replacing it with will contain the same software version 10.1.1 and the same network settings (example: IP, NetMask, etc).
thank you for your help in advance
As long as you give the new appliances the same IP Address, all you have to do is take down the old appliance, connect up the new appliance, re-key it, upgrade it to the same version you are on, write any data sources and VM info from ERC, write databases on the DSM, write the correlation engines on the ACE, then rollout policy.
The configuration for the appliances is kept on the ESM.
Don't forget to enable Ping once you are keyed, if you are used to being able to get ping replies from your equipment.
We have replaced almost all of our old Gen3 equipment over the past 2+ years (ESM, ELM, ACE, APM, DSM, 10 ERC's)
What about the old system settings/configurations and data? Since new and old devices are different model, so I assume you can't do a full backup and restore onto the new device, since backup/restore is model dependent? Or should the subsidiary devices get swapped out first, and then do the ESM last? Maybe there is a device refresh guide that I haven't seen yet.
I agree with you. if we are going to replace the receiver and re-key it, would there need to be some type of steps afterward to import the configuration from the old receiver to the new one since this will be a new entry within SIEM?
The "settings" for a Receiver are stored on the ESM, as long as you give a replacement Receiver the same IP, you Key it, write the Data Sources, VA info, and push policy. You do not have to export / import anything.
As for the ESM, we setup a Primary / Redundant relationship between our X3 and X6, once everything was sync'd we made the X6 the primary and took the X3 offline. Best bet is to open a ticket with support ahead of time, see what they have to say, and keep it open until you are done.
So, you are saying leave the ETMs to last, replace the ERC, ELM, ACE first via re-key. But what are you going to do with the ETMs? Also, I believe you can only do primary/redundant with same models of ETMs, or is that a myth? Fail-over to redundant as primary, replace the old-primary and fail-back and then replace the redundant?
You don't have to leave your ESM's till last, we did ours in about the middle, depends on if you have budget money to purchase everything at once, or if you have to spread your purchases over multiple quarters / years as we had to.
You can do Primary / Redundant with dissimilar hardware, when going from smaller to larger anyway. Where you may run in to problems is if you tried to go from larger to smaller, as the sync process tries to sync drive to drive. So if the Primary has larger drives than the Redundant their may be issues during the sync, or so I've heard.