Hi , hope someone could help me on this,
I have 2 x ESM 5600 , 4 x ERC 2600 , 2 x ELM 4600, ACE, DSM, APM x1 each. Would you be able to give me design ideas to get the 100% of all the equipments, with HA.
- 1 5600 as Primary ESM (Active) | can only do manual fail-over
- 2 ERCs as Single HA Pair | automatic fail-over between ERCs
- 1 ELM as Primary (Active) | can only do manual fail-over
- 1 ACE in Real Time mode (I would suggest to get another ACE and place it at DR site)
- 1 APM
- 1 DSM
DR Site / CoLo
- 1 5600 as Redundant ESM (Passive/Standby)(in-sync with Primary ESM)
- 2 ERCs as Single HA Pair (assuming you are collecting logs at this data centre as well)
- 1 ELM as Redundant
Hope this helps...
Thanks, my initial though of somthing like that, but I have some issues.. would you be able to explain further " 2 ERCs as Single HA Pair | automatic fail-over between ERCs" and the ELM, could we use the Redundant for searches, rather sitting as Passive until DR, is it possible to use the device while staying the main role as Redundant. Also yes I want to utilise all 4 ERCs as much as possible. Is that possible to create a ERC culstrer.
You can not use "standby" devices configured as Redundant or HA with the exception of ESM (feature introduced in 9.6).
ERC Pair: It actually works as cluster, but more like Active/Passive. So, no Active/Active cluster.
Redundant ESM: You can use it to run Queries, but that's the ONLY task you can do on it.
Redundant ELM: It sits in standby mode until you fail-over.
As mentioned by "Syed_Rizvi" above and previously discussed onsite Oswaldd, you cannot create HA SIEM Event Receivers across site, but rather HA onsite only through direct connection Ethernet cables to a maximum of 100 meters.