Highlighted
Absent Member.
Absent Member.
501 views

Pause or Stop events to be sent to the logger

We have a setup as follows:

1 ESM , 2 logger appliances(No peering), 2 connector servers on Windows , configured in cluster without using a shared storage.

We have installed Windows Unified Event Connector, Syslog Event Connectors, Checkpoint Event Connectors on both the windows machines that are our connector servers. There are 3 destinations configured(1 ESM and 2 logger appliances).

The issue we are facing is to achieve high availability for the Connector servers, without duplication of events. The options we are evaluating are below:

1. Re-install connector servers with RHEL 6.5 64-bit OS(no shared storage), so that we can configure automatic failover for the connector servers.

2. Have a shared storage and re-install the pull mode connectors(Windows unified and Checkpoint) on the shared space.

3. Use execute command option as rule action from ESM, to pause one connector. This way the event flow to ESM would be stopped. We will keep caching size to zero, so that, no events are cached and the events are dropped on this connector. When there is a scenario of Connector 1 going down, the rule would automatically execute a connector command to start the paused connector. As there are no cached events, the connector would only forward the real time events it receives, hence there would be no duplication.

The QUESTION IS, will pausing a connector from esm, also pause events it send to logger destination? Highly unlikely, but still I am asking for your expert opinions. Thank you for your help.

Labels (3)
0 Likes
6 Replies
Highlighted
Contributor.. Contributor..
Contributor..

Re: Pause or Stop events to be sent to the logger

No it will not. If you create two separate destinations in the connector the connector is sending events to two different separate destinations. If you pause the connector for one destination in this case ESM the connector still will keep sending events to the logger.

Regards

Daniel

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Pause or Stop events to be sent to the logger

Oki, I was thinking the same. This would not be ideal for us then. Is there a way to remotely pause events for logger????

- Vishal K

Sent from Mobile Phone

0 Likes
Highlighted
Contributor.. Contributor..
Contributor..

Re: Pause or Stop events to be sent to the logger

No, there is not. The logger doesn't have as much control over the connector as the ArcSight console.

Cheers!

Daniel

0 Likes
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Re: Pause or Stop events to be sent to the logger

I think you may want to look at things differently by ensuring that the smart connectors do not get duplicate events in the first place while maintaining high availabilty.

  • For syslog, our new load balancer would provide the answer.
  • The load balancer still does not support windows and checkpoint, however for both of those the source will cache events on failure so you can stick to a single connector without losing events (though sacrificing on real timeness).

If you prefer the your solution you may want to look into forwarding from from ESM to the Loggers rather than directly.

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Pause or Stop events to be sent to the logger

Thank you for your reply. If we forward from esm to the loggers:

1: ESM becomes the single point of failure.

2: Connectors will cache only if destinations are down...so how can we prevent duplicate events, as we are looking at connector HA.

- Vishal K

Sent from Mobile Phone

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Pause or Stop events to be sent to the logger

One more point:

Would installing SmartConnecrors on a shared storage space solve the HA without duplicacy of events, for Windows and CheckPoint???? If it does, we can propose it to our customer.

- Vishal K

Sent from Mobile Phone

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.