Commodore
Commodore
942 views

ESM HA Dual Feeding

Jump to solution

Hi,

We have a current implementation that involves ESM HA Dual Feeding. It seems like configuring 2 stand-alone ESMs and just send the logs to it separately at the same time.

May I know what is the advantage of this setup vs the active-passive HA setup? Any documentations I can use so I can justify this to our client?

What is the advantage/disadvantage of Active-Active setup vs Active-Passive setup?

Thanks in advance,

Aqui

Labels (1)
0 Likes
1 Solution

Accepted Solutions
Fleet Admiral
Fleet Admiral

Hi Aqui

 

Let me understand. You are asking if you can transform one of the server into HA ArcSight solution?

Technical yes there is not issues.

You need to have another server, similar with the one that ESM it's running ( CPU, RAM, HDD), and a second interface dedicated for HA traffic.

Then there is an ArcSight HA package that will be installed on the server where ESM it's already installed.  During the setup the process will copy / replicate the data on the new server.

Regarding the license you need to get another license.  The new license will have HA support activated.  Without it the HA will not be able to ne installed.

 

Best Regards,

 

Daniel

View solution in original post

0 Likes
8 Replies
Fleet Admiral
Fleet Admiral

The only two major differences really comes down to resources and monitoring.

If you run an Active/Active, it also means that whichever amount of bandwith is used is doubled, and resources like CPU/Memory is used double as well since both devices does correlation/aggregation.

If one ESM goes down, you also have better monitoring with the HA package for ESM, than with just server-based monitoring (like nagios etc), ensuring that at least 1 ESM is available.

Disk usage would be the same, as data is mirrored between the servers.

In theory i feel Active/Active is better when you do HA cross datacenters because latency would be an issue, while Active/Passive is better if you want HA in the same datacenter (maybe split it up to difference physical machines, different SAN's or switches etc).

-----------------------------------------------------------------------------------------
All topics and replies made is based on my personal opinion, viewpoint and experience, it does not represent the viewpoints of MicroFocus.
All replies is based on best effort, and can not be taken as official support replies.
//Marius
Commodore
Commodore

Hi Marius,

Having this said, it think it is much better to have an active-passive HA setup then. I also read this thread

https://community.microfocus.com/t5/ArcSight-User-Discussions/ESM-HA-concept-clarification/td-p/1560559. 

It seems that ESM Dual Feeding is an old way of ArcSight doing HA and the new way is to have an active-passive setup so you can replicate everything from one ESM to the other.

My question is, can we configure the ESM Dual Feeding and change into active-passive setup? We're having doubts because on the pricing list of MF, ESM Dual Feeding and ESM HA have different SKUs.

Your help is very much appreciated!

Thanks,

Aqui

0 Likes
Fleet Admiral
Fleet Admiral

Hi Aqui,

what you have configured into your current implementation are two ESM's instances that are receiving the same events and nothing more.

The advantage of this implementation is that allows you to switch in real time between those two ESM environments and if one of them it's down there are no outages.

The major disadvantage that facing this kind of implementation is the sync of the content between them. At this moment there is not 100% guarantee that what's on ESM 1 is on ESM 2 as well. Always something is not syncing or someone activates a certain content on one ESM and forgot's to do it on the second and so one ....
Also, if there are integrations between ArcSight world ( ESM ) and other tools unfortunate those can run only one one of them ( if you don't want to duplicate your data) and if one is down then you need to automate the switch of the integration to work on the live one.

Sometimes I saw clients that start to compare the number of events received by both of ESM's and let's facing one of the servers can have performance issues and this environment will not be the same.

For the official HA for ESM you should start to read the following documents:
https://community.microfocus.com/t5/ESM-and-ESM-Express/Micro-Focus-Security-ArcSight-ESM-High-Availability-Module-User/ta-p/1661013 ( HA User Guide )
https://community.microfocus.com/t5/ESM-and-ESM-Express/Micro-Focus-Security-ArcSight-ESM-Installation-Guide/ta-p/1661014 ( for installation )

The technology used for HA is DRBD. If you want to go on this path you should have two similar servers (CPU, RAM, HDD ... ) and a third ethernet interface for the hardbeat.
But this is Active / Passive ( with data sync between servers ). The ESM services are up and running only on one server. If something happens with the active server then DRBD process is powering the ESM services on the secondary node. That means will be a delay for the users to be connected and use ESM.

Advantages - no track of content sync the data between servers constantly sync.
Disadvantages - you are stuck to the version of the kernel required by DRDB module. Those are covered into doc installation. Adds more complexity to the entire solution and sometimes the administrators should be prepared to handle DRBD issues.

I think that for more information you should contact a presalse from MF if you are interested in HA.

I hope that what I have shared really helps.

Best Regards,

Daniel

Fleet Admiral
Fleet Admiral
Good points, totally forgot about the content sync part as well
-----------------------------------------------------------------------------------------
All topics and replies made is based on my personal opinion, viewpoint and experience, it does not represent the viewpoints of MicroFocus.
All replies is based on best effort, and can not be taken as official support replies.
//Marius
0 Likes
Commodore
Commodore

Hi Daniel,

Having this said, it think it is much better to have an active-passive HA setup then. I also read this thread

https://community.microfocus.com/t5/ArcSight-User-Discussions/ESM-HA-concept-clarification/td-p/1560559.

It seems that ESM Dual Feeding is an old way of ArcSight doing HA and the new way is to have an active-passive setup so you can replicate everything from one ESM to the other.

My question is, can we configure the ESM Dual Feeding and change into active-passive setup? We're having doubts because on the pricing list of MF, ESM Dual Feeding and ESM HA have different SKUs.

Your help is very much appreciated!

Thanks,

Aqui

0 Likes
Fleet Admiral
Fleet Admiral

Hi Aqui

 

Let me understand. You are asking if you can transform one of the server into HA ArcSight solution?

Technical yes there is not issues.

You need to have another server, similar with the one that ESM it's running ( CPU, RAM, HDD), and a second interface dedicated for HA traffic.

Then there is an ArcSight HA package that will be installed on the server where ESM it's already installed.  During the setup the process will copy / replicate the data on the new server.

Regarding the license you need to get another license.  The new license will have HA support activated.  Without it the HA will not be able to ne installed.

 

Best Regards,

 

Daniel

View solution in original post

0 Likes
Commodore
Commodore

Hi Daniel,

We have successfully migrated from Dual Feeding HA into Active-Passive HA. We just followed the steps on the guide and requested for a new license for this setup. Dual-Feeding HA license will not work for Active-Passive setup.

Thank you very much for your help!

Regards,

Aqui

0 Likes
Commodore
Commodore

Hi Daniel,

Btw, do you have any idea what is the standard size of synchronization on the Active-Passive HA? The screenshot on the guide is 38mb/s but I think it's just a screenshot of the process itself. I wasn't mentioned there what is the standard size.

Thanks,

Aqui

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.