Complete this procedure to configure multiple Archiver or Concentrator services as a group and share the aggregation tasks between them.
Plan the network design for group aggregation. The following figure is an example of a group aggregation setup.
Ensure that you understand the Group aggregation parameters in the following table, and create a group aggregation plan.
|Group Name||It determines the group to with the Archiver or Concentrator belongs.|
You can add any number of groups aggregating data from a Log Decoder. The Group Name parameter is used by the Log Decoder to identify which Archiver or Concentrator services are working together. All Archiver or Concentrators services in the group should have the same group name.
|Size||It determines the number of Archiver or Concentrator services in the aggregation group.|
|Member Number||It determines the position of the Archiver or Concentrator in the aggregation group. For a group of size N, member number from 0 to N-1 must be set on each of the Archiver or Concentrators services in the aggregation group.|
For example: If the size of the aggregation group is 2, the member number of one of the Archiver or Concentrator service should be set to 0 and the member number of the other Archiver or Concentrator should be set to 1.
|Membership Mode|| |
There are two membership modes: New and Replace.
Note: This parameter has an effect only when no sessions have been aggregated from the service. After some sessions are aggregated, this parameter has no effect.
Set up Group Aggregation
Complete the following procedure to set up group aggregation.
- Configure multiple Archiver or Concentrator services in your environment. For instructions, see the "Configure Archiver"topic in the RSA Security Archiver Configuration Guide or "Broker and Concentrator Configuration" topic in the RSA Security Analytics Broker and Configuration Guide.
Make sure that you add the same Log Decoder as data source to all the services.
Perform the following on all the Archiver or Concentrator services that you want to be part of aggregation group:
- In the Security Analytics menu, select Administration > Services.
- Select the Archiver or Concentrator service, and in the Actions column, select View > Config.
The Device Config view of the Archiver or Concentrator is displayed.
- Under Aggregate Services section, select the Log Decoder device.
- Click to change the status of the Log Decoder to offline if it is online.
The Edit Aggregate Service dialog is displayed.
The Edit Group Aggregation dialog is displayed.
Select the Enabled checkbox and set the following parameters:
In the Group Name field, type the group name.
In the Size field, select the number of Archiver or Concentrator services in the aggregation group.
In the Member Number field, select the position of the Archiver or Concentrator in the aggregation group.
In the Membership Mode drop-down menu, select the mode.
- Click Save.
- In the Device Config View page, click Apply.
- Perform Step b to Step i on all other Archiver or Concentrator services that need to be part of group aggregation.
In the Aggregation Configuration section, set Aggregate Max Sessions parameter set to 10000.