cancel
Showing results for 
Search instead for 
Did you mean: 

Receivers as a load balancer rather than in HA

can anyone tell me how to configure two receivers as a load balancer because i have more than 1000 devices in a single receiver and i want to share it with two receiver to balance the receiver load.

9 Replies
sssyyy
Level 12
Report Inappropriate Content
Message 2 of 10

Re: Receivers as a load balancer rather than in HA

don't think you can LB them.

Re: Receivers as a load balancer rather than in HA

so what can i do if i have more devices on single receiver

sssyyy
Level 12
Report Inappropriate Content
Message 4 of 10

Re: Receivers as a load balancer rather than in HA

How many data sources do you have? You can potentially have more by using parent and child i think.

Re: Receivers as a load balancer rather than in HA

i have more than 1700 devices in single reciever.

sssyyy
Level 12
Report Inappropriate Content
Message 6 of 10

Re: Receivers as a load balancer rather than in HA

Can't really remember the exact max # of data sources you can have on a ERC. but use parent/child if you want more than that.

Re: Receivers as a load balancer rather than in HA

Documentation says maximum number for the higher end receivers is 2000 in the latest releases. But clients don't count. So you might be able to have 2000 parent data sources and each one have 256 clients. It must be clients. Child data sources count as a regular data source and don't help.

Re: Receivers as a load balancer rather than in HA

An ERC can have any combination of up to 2000 parent and child data source, and a parent data source can have up to 32766 client data sources. However ,you do not want to configure an ERC with 65.5M data sources - I recommend no more than 3K-4K. More than that will function, but doing so may come with performance and recovery challenges that can include:

  • Each parent or child data source uses a single thread, while client data sources share the parent thread, and in the event of an EPS spike on a client, the parsing for all clients under the parent may get behind.
  • Rollout times can greatly increase due to the large size of the Policy.
  • For a given EPS, ESM performance can be impacted by using a few ERCs with a lot of data sources on each vs. more ERCs with fewer data sources on each.
  • Parsers that use large PCRE strings (Cisco or Snare) use a lot of resources, meaning that a single Cisco parent with a lot of clients may get behind.
  • Blooming occurs on the ERC, so the more data sources on the ERC the greater the overhead.

Hope this helps!

Re: Receivers as a load balancer rather than in HA

but what if my receiver eps exceeds from its capacity?? how can i manage it.

McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 10 of 10

Re: Receivers as a load balancer rather than in HA

Some of the ways you can address the issue of consistently exceeding the EPS rating of an ERC are to:

  • Use ERC filters to discard events for which parsing has been deemed unnecessary.
  • Reduce the logging level at the data source.
  • Reduce the number of event types sent by the data source.
  • Add one or more additional ERCs and distribute the EPS evenly across all ERCs.

Hope this helps!.