cancel
Showing results for 
Search instead for 
Did you mean: 
oswaldd
Level 7

SIEM Design

Hi , hope someone could help me on this,

I have 2 x ESM 5600 , 4 x ERC 2600 , 2 x ELM 4600, ACE, DSM, APM x1 each.   Would you be able to give me design ideas to get the 100% of all the equipments, with HA.

0 Kudos
9 Replies
Peacekeeper
Level 20

Re: SIEM Design

Moved to SIEM group for a better chance of assistance as other forum was mainly for consumer products.

0 Kudos
syed_rizvi
Level 10

Re: SIEM Design

​Need more clarification, however assuming you have a DR/CoLo Site, this is how wanna design...

Primary Site

- 1 5600 as Primary ESM (Active) | can only do manual fail-over

- 2 ERCs as Single HA Pair | automatic fail-over between ERCs

- 1 ELM as Primary (Active) | can only do manual fail-over

- 1 ACE in Real Time mode (I would suggest to get another ACE and place it at DR site)

- 1 APM

- 1 DSM

DR Site / CoLo

- 1 5600 as Redundant ESM (Passive/Standby)(in-sync with Primary ESM)

- 2 ERCs as Single HA Pair (assuming you are collecting logs at this data centre as well)

- 1 ELM as Redundant

Hope this helps...

0 Kudos
oswaldd
Level 7

Re: SIEM Design

Hi Syed,

Thanks, my initial though of somthing like that, but I have some issues..  would you be able to explain  further " 2 ERCs as Single HA Pair | automatic fail-over between ERCs" and  the ELM, could we use the Redundant for searches, rather sitting as Passive until DR, is it possible to use the device while staying the main role as Redundant. Also yes I want to utilise all 4 ERCs as much as possible. Is that possible to create a ERC culstrer. 

0 Kudos
xded
Level 12

Re: SIEM Design

Build for each 2 ERC a Cluster this is a Single HA Pair =). Maybe take a look on the ESM documentaition on page 72

0 Kudos
syed_rizvi
Level 10

Re: SIEM Design

You can not use "standby" devices configured as Redundant or HA with the exception of ESM (feature introduced in 9.6).

ERC Pair: It actually works as cluster, but more like Active/Passive. So, no Active/Active cluster.

Redundant ESM: You can use it to run Queries, but that's the ONLY task you can do on it.

Redundant ELM: It sits in standby mode until you fail-over.

0 Kudos
oswaldd
Level 7

Re: SIEM Design

so would you be abe to clarify this please,

Can I setup two ERCs at one data center as a seperate receivers and put the HA receivers in  secondary data center,

0 Kudos
xded
Level 12

Re: SIEM Design

Im not sure about that but i think this isn't possible because the connection needs a direct connection between the Cluster.

0 Kudos
syed_rizvi
Level 10

Re: SIEM Design

No, as said. In HA mode, the IPMI & Heartbeat cables between two ERCs needs to be connected directly.

0 Kudos
mdarman
Level 7

Re: SIEM Design

As mentioned by "Syed_Rizvi" above and previously discussed onsite Oswaldd, you cannot create HA SIEM Event Receivers across site, but rather HA onsite only through direct connection Ethernet cables to a maximum of 100 meters.

0 Kudos