9 Replies Latest reply on Aug 25, 2016 12:36 AM by mdarman

    SIEM Design


      Hi , hope someone could help me on this,


      I have 2 x ESM 5600 , 4 x ERC 2600 , 2 x ELM 4600, ACE, DSM, APM x1 each.   Would you be able to give me design ideas to get the 100% of all the equipments, with HA.

        • 1. Re: SIEM Design

          Moved to SIEM group for a better chance of assistance as other forum was mainly for consumer products.

          • 2. Re: SIEM Design

            oswaldd, Need more clarification, however assuming you have a DR/CoLo Site, this is how wanna design...


            Primary Site

            - 1 5600 as Primary ESM (Active) | can only do manual fail-over

            - 2 ERCs as Single HA Pair | automatic fail-over between ERCs

            - 1 ELM as Primary (Active) | can only do manual fail-over

            - 1 ACE in Real Time mode (I would suggest to get another ACE and place it at DR site)

            - 1 APM

            - 1 DSM


            DR Site / CoLo

            - 1 5600 as Redundant ESM (Passive/Standby)(in-sync with Primary ESM)

            - 2 ERCs as Single HA Pair (assuming you are collecting logs at this data centre as well)

            - 1 ELM as Redundant


            Hope this helps...

            • 3. Re: SIEM Design

              Hi Syed,


              Thanks, my initial though of somthing like that, but I have some issues..  would you be able to explain  further " 2 ERCs as Single HA Pair | automatic fail-over between ERCs" and  the ELM, could we use the Redundant for searches, rather sitting as Passive until DR, is it possible to use the device while staying the main role as Redundant. Also yes I want to utilise all 4 ERCs as much as possible. Is that possible to create a ERC culstrer. 

              • 4. Re: SIEM Design

                Build for each 2 ERC a Cluster this is a Single HA Pair =). Maybe take a look on the ESM documentaition on page 72

                • 5. Re: SIEM Design

                  You can not use "standby" devices configured as Redundant or HA with the exception of ESM (feature introduced in 9.6).


                  ERC Pair: It actually works as cluster, but more like Active/Passive. So, no Active/Active cluster.

                  Redundant ESM: You can use it to run Queries, but that's the ONLY task you can do on it.

                  Redundant ELM: It sits in standby mode until you fail-over.

                  • 6. Re: SIEM Design

                    so would you be abe to clarify this please,

                    Can I setup two ERCs at one data center as a seperate receivers and put the HA receivers in  secondary data center,

                    • 7. Re: SIEM Design

                      Im not sure about that but i think this isn't possible because the connection needs a direct connection between the Cluster.

                      • 8. Re: SIEM Design

                        No, as xded said. In HA mode, the IPMI & Heartbeat cables between two ERCs needs to be connected directly.

                        • 9. Re: SIEM Design

                          As mentioned by "Syed_Rizvi" above and previously discussed onsite Oswaldd, you cannot create HA SIEM Event Receivers across site, but rather HA onsite only through direct connection Ethernet cables to a maximum of 100 meters.