Big news! The community will be moving to a new platform April 21. Read more.
Big news! The community will be moving to a new platform April 21. Read more.
Captain Captain
Captain
420 views

Arcsight ESM mode explanation

Jump to solution

Hello Everyone,

I am new in Arcsight platform, I have a question about ESM mode meaning, I am just confused between mode compact, Hight availability, and distributed.

kindly if anyone can answer my question thank you in advance.

regards

Labels (1)
1 Solution

Accepted Solutions
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Hi @agyassine 

There are two main modes for ESM. Compact and Distributed.

High Availability is not a mode but an additional feature that can be applied to both a compact and Distributed installation.

A Compact installation of ESM will have all components installed on the same host (virtual or physical). This means the ESM database, rule correlation, rule aggregation and everything else that occurs within ESM happens on the same host. This type of setup has been the standard setup in past versions of ESM and is also better for smaller deployments.

A distributed ESM installation is where you have (minimum x3) physical/virtual hosts and different components are installed on different hosts. A simple dsitributed installation may have a master Persistor node (the database) and then two child nodes that handle rule correlation and aggregation. The advantage of this is that it scales to much larger EPS volumes (dependent on hardware). If you find that you're reaching the limits of a 3 node cluster, you can simply add in additional nodes to take up the processing requirements.

Both of these setups can have an additional host that acts as a High Availability node for the ESM database. so that if the main ESM database/host fails it has a backup. More information on this can be found in the Arcsight Documentation Active-Passive High Availability Module User's Guide for ESM 7.3 

A little more information can be found below.

Distributed Correlation Cluster Planning

If you're wondering how to size your ESM installation or in which mode to deploy it, i would recommended getting into contact with your MF presales representative or lodging a MicroFocus customer support ticket in order to determine the best method of deployment for your environment. 

View solution in original post

2 Replies
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Hi @agyassine 

There are two main modes for ESM. Compact and Distributed.

High Availability is not a mode but an additional feature that can be applied to both a compact and Distributed installation.

A Compact installation of ESM will have all components installed on the same host (virtual or physical). This means the ESM database, rule correlation, rule aggregation and everything else that occurs within ESM happens on the same host. This type of setup has been the standard setup in past versions of ESM and is also better for smaller deployments.

A distributed ESM installation is where you have (minimum x3) physical/virtual hosts and different components are installed on different hosts. A simple dsitributed installation may have a master Persistor node (the database) and then two child nodes that handle rule correlation and aggregation. The advantage of this is that it scales to much larger EPS volumes (dependent on hardware). If you find that you're reaching the limits of a 3 node cluster, you can simply add in additional nodes to take up the processing requirements.

Both of these setups can have an additional host that acts as a High Availability node for the ESM database. so that if the main ESM database/host fails it has a backup. More information on this can be found in the Arcsight Documentation Active-Passive High Availability Module User's Guide for ESM 7.3 

A little more information can be found below.

Distributed Correlation Cluster Planning

If you're wondering how to size your ESM installation or in which mode to deploy it, i would recommended getting into contact with your MF presales representative or lodging a MicroFocus customer support ticket in order to determine the best method of deployment for your environment. 

View solution in original post

Captain Captain
Captain

Hi @LewisJ,

thanks for your reply, It really helps.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.