Moved to SIEM group for a better chance of assistance as other forum was mainly for consumer products.
oswaldd, Need more clarification, however assuming you have a DR/CoLo Site, this is how wanna design...
- 1 5600 as Primary ESM (Active) | can only do manual fail-over
- 2 ERCs as Single HA Pair | automatic fail-over between ERCs
- 1 ELM as Primary (Active) | can only do manual fail-over
- 1 ACE in Real Time mode (I would suggest to get another ACE and place it at DR site)
- 1 APM
- 1 DSM
DR Site / CoLo
- 1 5600 as Redundant ESM (Passive/Standby)(in-sync with Primary ESM)
- 2 ERCs as Single HA Pair (assuming you are collecting logs at this data centre as well)
- 1 ELM as Redundant
Hope this helps...
Thanks, my initial though of somthing like that, but I have some issues.. would you be able to explain further " 2 ERCs as Single HA Pair | automatic fail-over between ERCs" and the ELM, could we use the Redundant for searches, rather sitting as Passive until DR, is it possible to use the device while staying the main role as Redundant. Also yes I want to utilise all 4 ERCs as much as possible. Is that possible to create a ERC culstrer.
Build for each 2 ERC a Cluster this is a Single HA Pair =). Maybe take a look on the ESM documentaition on page 72
You can not use "standby" devices configured as Redundant or HA with the exception of ESM (feature introduced in 9.6).
ERC Pair: It actually works as cluster, but more like Active/Passive. So, no Active/Active cluster.
Redundant ESM: You can use it to run Queries, but that's the ONLY task you can do on it.
Redundant ELM: It sits in standby mode until you fail-over.
so would you be abe to clarify this please,
Can I setup two ERCs at one data center as a seperate receivers and put the HA receivers in secondary data center,
Im not sure about that but i think this isn't possible because the connection needs a direct connection between the Cluster.
As mentioned by "Syed_Rizvi" above and previously discussed onsite Oswaldd, you cannot create HA SIEM Event Receivers across site, but rather HA onsite only through direct connection Ethernet cables to a maximum of 100 meters.