ArcSight Loadbalancer limits

 

Hi All,

I am implementing the arcsight connector loadbalancer. Though I am unabale to find the limitations of the loadbalancer. Can anyone point me to where I might be able to find the info on the arcsight limitations?

I am specifically looking for the max conectors allowed per cluster and maximum clusters per load balancer?

Thank you,

 

T

  • Your best bet for something that specific is going to be - Professional Services at HPe via your Account Team 

    or

    Open a Support Request - "asking for Best Practices or guidance on Product limits" -- that will get it to either HPe Professional Services or the Product team internally for an answser 

     

    but that is the best course of action - 

     

    Example - Windows Unified Connector - Best Practice "40 servers per WUC" == relaity = if all servers are the same OS = with similar load - you can go to "80 to 100 Servers per WUC"

     

    there are a lot of variables to consider when dealing with each individual organization - and the documented stance is typically - this is best for all aka "everyone is the same snowflake"

  • I'm running a pair of load balancers collecting UDP Syslog from 270 Fortinet firewalls.  Max EPS I've seen is 47K.  I it's normally collecting between 30-40K.  Hope that helps.

  • There are no specific limits as such - so no fixed guidance around "you can only get x EPS" or something like that. It is utterly dependent on a number of factors:

    1) Type of connection - UDP is way more efficient than TCP and if you do use TCP for syslog, you will get to the upper limits on the processing quite quickly. There are a lot of options in the properties file, so you can adjust things, but be careful.

    2) Size of events - this does seem to have an impact and the bigger the events the more resources needed

    3) Memory available for the load balancer software - CPU does make a difference, but the process itself is quite intense around memory usage (remember each decision, track it and so on), so more memory is good. Standard specs are quite high, so go higher on RAM.

    4) There is no maximum number of connections - again, nothing is set here, but I have seen 1000's of separate connections for this. But its a UDP vs TCP thing again. UDP isnt connection based, so it doesnt matter. But if you are using TCP, be aware that you will get a fraction of the throughput.

    5) Maximum number of nodes in the load balancer - seen some experiments from customers and 2 is the minimum, but going to say 3 or 4 is better. So make sure you can balance things out. Its a load balancer though, not a cooperative cluster, so more than 5-6 nodes will not incrementally make a massive difference.

    6) Routing decisions - I have seen some complex decisions, which does work, but this increases the time needed for processing. Simple decisions are good - and I dont see much difference between round robin vs load based decisions. So go with the better one for you, round robin isnt great though.

    Some basic stuff though - hope this helps.

  • After checking the ./current/config/lbConfig.xml.template. the udp.consumer.threads is set as follows:

    <globalParameters>
    <properties>
    <property key="udp.consumer.threads" value="#" />
    </properties>
    </globalParameters >

    This is at the end of the file before </lbConfiguration>

  • Also to be more specific the load balancer configuration file is under ./current/user/loadbalancer/lbConfig.xml

    The template of all the parameters is under ./current/config/lbConfig.xml.template