9 Replies Latest reply on Aug 25, 2016 12:36 AM by mdarman

    SIEM Design

    oswaldd

      Hi , hope someone could help me on this,

       

      I have 2 x ESM 5600 , 4 x ERC 2600 , 2 x ELM 4600, ACE, DSM, APM x1 each.   Would you be able to give me design ideas to get the 100% of all the equipments, with HA.

        • 1. Re: SIEM Design
          Peacekeeper

          Moved to SIEM group for a better chance of assistance as other forum was mainly for consumer products.

          • 2. Re: SIEM Design
            syed_rizvi

            oswaldd, Need more clarification, however assuming you have a DR/CoLo Site, this is how wanna design...

             

            Primary Site

            - 1 5600 as Primary ESM (Active) | can only do manual fail-over

            - 2 ERCs as Single HA Pair | automatic fail-over between ERCs

            - 1 ELM as Primary (Active) | can only do manual fail-over

            - 1 ACE in Real Time mode (I would suggest to get another ACE and place it at DR site)

            - 1 APM

            - 1 DSM

             

            DR Site / CoLo

            - 1 5600 as Redundant ESM (Passive/Standby)(in-sync with Primary ESM)

            - 2 ERCs as Single HA Pair (assuming you are collecting logs at this data centre as well)

            - 1 ELM as Redundant

             

            Hope this helps...

            • 3. Re: SIEM Design
              oswaldd

              Hi Syed,

               

              Thanks, my initial though of somthing like that, but I have some issues..  would you be able to explain  further " 2 ERCs as Single HA Pair | automatic fail-over between ERCs" and  the ELM, could we use the Redundant for searches, rather sitting as Passive until DR, is it possible to use the device while staying the main role as Redundant. Also yes I want to utilise all 4 ERCs as much as possible. Is that possible to create a ERC culstrer. 

              • 4. Re: SIEM Design
                xded

                Build for each 2 ERC a Cluster this is a Single HA Pair =). Maybe take a look on the ESM documentaition on page 72

                • 5. Re: SIEM Design
                  syed_rizvi

                  You can not use "standby" devices configured as Redundant or HA with the exception of ESM (feature introduced in 9.6).

                   

                  ERC Pair: It actually works as cluster, but more like Active/Passive. So, no Active/Active cluster.

                  Redundant ESM: You can use it to run Queries, but that's the ONLY task you can do on it.

                  Redundant ELM: It sits in standby mode until you fail-over.

                  • 6. Re: SIEM Design
                    oswaldd

                    so would you be abe to clarify this please,

                    Can I setup two ERCs at one data center as a seperate receivers and put the HA receivers in  secondary data center,

                    • 7. Re: SIEM Design
                      xded

                      Im not sure about that but i think this isn't possible because the connection needs a direct connection between the Cluster.

                      • 8. Re: SIEM Design
                        syed_rizvi

                        No, as xded said. In HA mode, the IPMI & Heartbeat cables between two ERCs needs to be connected directly.

                        • 9. Re: SIEM Design
                          mdarman

                          As mentioned by "Syed_Rizvi" above and previously discussed onsite Oswaldd, you cannot create HA SIEM Event Receivers across site, but rather HA onsite only through direct connection Ethernet cables to a maximum of 100 meters.