EMS6.5c SP1 Clustering
I'm new to arcsight Implementation and I'm planning to builder a cluster with two ESM6.5 SP1 machines both in ACTIVE,ACTIVE state. If anyone has done this kind of implementation before can you please share your experiences.
Thanks in Advance.
As stated earlier in other thread, wait for sometime; HP is going to release HA feature within the solution v6.8 which is in beta phase right now.
otherwise, without it I guess it's not technically possible as arcsight esm 6.5 installer doesn't give you much options to pick and and choose.
My understanding is that the 6.8 HA will be block level replication and require the two servers to be connected with a physical cross over cable, so will only work if you are in the same data center. I believe there are other requirements such as being able to control your rack power supplies. This thread is worth a read: https://protect724.hp.com/message/50110#50110 as it details the upcoming 6.8 in more detail.
Currently the recommended approach seems to be to have two instances of ESM and to try and replicate content using the inbuilt content sync functionality or through wrapping up package import and export commands with scripts. We have found both of these approaches very tricky in reality. There are limitations and gotchas and it's quite complicated and fragile.
Everyone has chipped in on this and pretty much answered it already. But a little clarity for you:
1) HA for ESM is fail-over only
2) ESM 6.8 will add HA capability - presentation from Protect above - its fail-over
3) ESM 6.x doesnt really support HA as its a single install with no centralized data store - doesnt lend itself
4) ESM 5.x with Oracle can be HA - but can be complex, but its also fail-over
The reason for no active / active? You need consistency on the tables, events and lists (active and session). Although technically feasible, having events come into a two nodes and have them co-operate for correlation purposes is real rocket science stuff (just think about the process / sequence and matching / decision tables needed!). As a result, its easier, simpler and much more effective to be active / fail-over.
Now, co-operatative correlation / distributed correlation - now that might be interesting....