A feature request related to Logger HA
We are deploying some loggers as HA pairs. There is no automated function to eanble the forwarder on the second logger if the fist one fails. Since ArcSight is moving toward more interaction between ESM and logger, I have opened the enhancment request to ask for the ability to send a command from ESM to logger to cause a forwarder to be enabled. This would allow rules to monitor the Logger input into ESM and potentially activate the forwarder automatically. This would give us a more automated HA situation.
For anyone would would like to get added to the FR (and increase the likleyhood if it being adopted) please reference
#62003 Enable a forwarder via command passed from ESM
Just curious... wouldn't you rather have the feature request based on Logger gaining HA ability instead? What I mean is that I'd much rather see Logger gain a heartbeat feature between the HA pair so the "secondary" could enable the forwarder when its peer (the primary) goes down. I wouldn't want the dependency to be on ESM, but perhaps you've thought of another advantage of doing it that way that I'm not seeing.
No, fully agree that I'd rather have Logger do a "real" HA, however based on the development cycle and where they seem to be with the capability to do interaction of lgger with ESM it seemed like this would be ble to be brought to market sooner than deveoping full HA would. Trying to get them to provide at least "poor man's" HA until a true HA capability is available.
It's unfortunate that there is no concept of HA in Logger till now. The Agent never caches for the Primary logger if Primary goes down on a Peer setup. All the logs will be forward to the Secondary logger in this scenario. So in future if you want to search something for that time period, you need to search on both the loggers making the search slow. Once the Failover happens here and there over a period of time, obviously you will not remember all the downtimes and you will be forced to give a search on both the peer Loggers as a standard practice.
This makes me think of an obvious solution. Why cant we use a single Logger and let the Agent to cach for the same.
It is better to compromise on real time monitoring over a slow and complicated process.
from a Logger HA document i got, ArcSight claims to cache events on the agents in case of using failover destinations!
Means if a primary logger goes down, events are cached AND send to failover destination. When primary logger comes back up, cached events are send to primary instance too..
Can anyone confirm that from his practical experience?
Has anyone out there ever done a logger setup using load balancers between agents and loggers?
I can confirm that this is normal behavior when a secondary destination is defined. I actually opened up a feature request a long time back that would allow you to configure the connector NOT to cache to the primary destination if the secondary is online, because at the time I was having both Loggers send to ESM (which means events sent to secondary, cached, and eventually also sent to primary would all be received in duplicate in ESM). They filled that request with a release a few months back, so this can be tweaked as well.
Nonetheless, what Logger needs most is a true HA relationship somehow, where perhaps a SAN volume is used and multiple Loggers load balance the interface to the same data on the back end, so that regardless of which (or how many) are online users and connectors never see an outage.