Reuse installed connector
i came by Protect Presentation which mentined that one can copy an installed connector to a new location and re-use it !
and my question is HOW TO do it ? what about conflects regading port used , agent id , agent name ..etc?
Yes, due to the nature of the install, you would be able to re-use the installed connector by copying, duplicating and re-distributing the "current" folder and then create the softlinks for the services on Linux. Same applies to Windows, but you would have to recreate the connector service.
The question would be why? Just copying the connector would result in conflicting agent-id's per destination and there are better alternatives and altough there are ways to circumvent the agent-id (regenerate agent-id and copy into config file(s)) issue, but then again the destinations and/or ports of the system you deploy your connector could be way off, resulting in you having to troubleshoot issues. Troubleshooting this is time consuming, if the host OS is not ready for the connector in terms of connectivity, libraries and whatever dependencies, you will experience a lot of very time consuming issues.
- Use the silent install to define a connector standard installation for each specific connector type
- Use Ansible or puppet script that acts like you are going through the installation and then use the parameters as variables in a seperate reference file.
- Deploy using ArcMC altough, you would have to install the connector within an already deployed container, which means you would run multiconnector configurations in one container (not advisable, to be honest)
To be honest, within the team I led in the UK, we had a DevSecOps guys who automated the installations using Ansible and he could deploy as many connectors as you can imagine in parallel. He had a connector automation library for the common connector types and it was amazing. Using this method we deployed a huge amount of connectors within a record time. We also did the host configurations using DevOps tooling. So imagine configuring >70 hosts (auditd/Linux logsources) in less than 5 minutes.
@SecLex Thanks a lot for your time and answer .
what i am need to do is that we have a load balancer which balance the load between 6 connectors (Fortinet) with a lot of custmized parameters and theses connectors are standalone - no central managment- . So since we have increed the incoming EPS , i need to increase number of connectors that EPS will be distributed on it , so i will thinkig of duplicating exsisting connectors and reuse it !
- How much EPS (>4000) are you talking about?
- Is this over UDP, TCP or Syslog TLS?
- Did you tune multitreading and/or increase the heap-size for the connector?
- Are these dedicated connectors only used for Fortinet?
- Have you looked into finetuning and benchmarking your connector settings to find the sweet spot?
- Do you have a filtering strategy in place to reduce the overhead from unused events?
- Did you tune the cache on your connector to reflect the logsource event volume and/or IT SLA's for unavailable connectivity (Connector to Destination) and system downtime?
You might not need to introduce or use that many resources to achieve your goal and at the same time be the hero for your Security Department, IT Department and security budget :P.
@SecLex Thanks for your valuable contribuation
How much EPS (>4000) are you talking about?
EPS greater than 4000 EPS
Is this over UDP, TCP or Syslog TLS?
Connector have 2 Destinations : 1- Logger Secure Pool , 2-ESM
Did you tune multitreading and/or increase the heap-size for the connector?
Yes , but due to caching i see a lot of Full GC !
Are these dedicated connectors only used for Fortinet?
Yes , but due to high caching on all Fortinet connectors , we still finetunnig as possbile
Do you have a filtering strategy in place to reduce the overhead from unused events?
cuurently there was no agregation or filtering applied , so we will start by applying aggregation .