We have a setup as follows:
1 ESM , 2 logger appliances(No peering), 2 connector servers on Windows , configured in cluster without using a shared storage.
We have installed Windows Unified Event Connector, Syslog Event Connectors, Checkpoint Event Connectors on both the windows machines that are our connector servers. There are 3 destinations configured(1 ESM and 2 logger appliances).
The issue we are facing is to achieve high availability for the Connector servers, without duplication of events. The options we are evaluating are below:
1. Re-install connector servers with RHEL 6.5 64-bit OS(no shared storage), so that we can configure automatic failover for the connector servers.
2. Have a shared storage and re-install the pull mode connectors(Windows unified and Checkpoint) on the shared space.
3. Use execute command option as rule action from ESM, to pause one connector. This way the event flow to ESM would be stopped. We will keep caching size to zero, so that, no events are cached and the events are dropped on this connector. When there is a scenario of Connector 1 going down, the rule would automatically execute a connector command to start the paused connector. As there are no cached events, the connector would only forward the real time events it receives, hence there would be no duplication.
The QUESTION IS, will pausing a connector from esm, also pause events it send to logger destination? Highly unlikely, but still I am asking for your expert opinions. Thank you for your help.