Commander
Commander
707 views

Reuse installed connector

Hi 🙂 

i came by Protect Presentation which mentined that one can copy an installed connector to a new location and re-use it ! 

and my question is HOW TO do it ? what about conflects regading port used , agent id , agent name ..etc?

 

 

0 Likes
5 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

Yes, due to the nature of the install, you would be able to re-use the installed connector by copying, duplicating and re-distributing the "current" folder and then create the softlinks for the services on Linux. Same applies to Windows, but you would have to recreate the connector service.

The question would be why? Just copying the connector would result in conflicting agent-id's per destination and there are better alternatives and altough there are ways to circumvent the agent-id (regenerate agent-id and copy into config file(s)) issue, but then again the destinations and/or ports of the system you deploy your connector could be way off, resulting in you having to troubleshoot issues. Troubleshooting this is time consuming, if the host OS is not ready for the connector in terms of connectivity, libraries and whatever dependencies, you will experience a lot of very time consuming issues.

Alternatives

  • Use the silent install to define a connector standard installation for each specific connector type
  • Use Ansible or puppet script that acts like you are going through the installation and then use the parameters as variables in a seperate reference file.
  • Deploy using ArcMC altough, you would have to install the connector within an already deployed container, which means you would run multiconnector configurations in one container (not advisable, to be honest)

To be honest, within the team I led in the UK, we had a DevSecOps guys who automated the installations using Ansible and he could deploy as many connectors as you can imagine in parallel. He had a connector automation library for the common connector types and it was amazing. Using this method we deployed a huge amount of connectors within a record time. We also did the host configurations using DevOps tooling. So imagine configuring >70 hosts (auditd/Linux logsources) in less than 5 minutes.

0 Likes
Commander
Commander

@SecLex Thanks a lot for your time and answer .

what i am need to do is that we have a load balancer which balance the load between 6 connectors (Fortinet) with a lot of custmized parameters and theses connectors are standalone - no central managment- . So since we have increed the incoming EPS , i need to increase number of connectors that EPS will be distributed on it , so i will thinkig of duplicating exsisting connectors  and reuse it ! 

0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

  • How much EPS (>4000) are you talking about?
  • Is this over UDP, TCP or Syslog TLS?
  • Did you tune multitreading and/or increase the heap-size for the connector?
  • Are these dedicated connectors only used for Fortinet?
  • Have you looked into finetuning and benchmarking your connector settings to find the sweet spot?
  • Do you have a filtering strategy in place to reduce the overhead from unused events?
  • Did you tune the cache on your connector to reflect the logsource event volume and/or IT SLA's for unavailable connectivity (Connector to Destination) and system downtime?

You might not need to introduce or use that many resources to achieve your goal and at the same time be the hero for your Security Department, IT Department and security budget :P.

0 Likes
Commander
Commander

@SecLex Thanks for your valuable contribuation 

 

  • How much EPS (>4000) are you talking about?

    EPS greater than 4000 EPS  

  • Is this over UDP, TCP or Syslog TLS?

    Connector have 2 Destinations : 1- Logger Secure Pool , 2-ESM 

    Did you tune multitreading and/or increase the heap-size for the connector?

    Yes , but due to caching i see a lot of Full GC ! 

  • Are these dedicated connectors only used for Fortinet?

    Yes .

     

    Have you looked into finetuning and benchmarking your connector settings to find the sweet spot?

    Yes , but due to high caching on all Fortinet connectors , we still finetunnig as possbile 

  • Do you have a filtering strategy in place to reduce the overhead from unused events?

    cuurently there was no agregation or filtering applied , so we will start by applying aggregation .

0 Likes
Commander
Commander

i think if we copied an installed connecotr and re-registered it again to ESM , it will create a new Agent ID .

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.