Configure Group Aggregation

Document created by RSA Information Design and Development on May 2, 2016Last modified by RSA Information Design and Development on Oct 13, 2016
Version 8Show Document
  • View in full screen mode
  

Complete this procedure to configure multiple Archiver or Concentrator services as a group and share the aggregation tasks between them.

Prerequisites

Plan the network design for group aggregation. The following figure is an example of a group aggregation setup.

Ensure that you understand the Group aggregation parameters in the following table, and create a group aggregation plan.

                         
ParameterDescription
Group NameIt determines the group to with the Archiver or Concentrator belongs.
You can add any number of groups aggregating data from a Log Decoder. The Group Name parameter is used by the Log Decoder to identify which Archiver or Concentrator services are working together. All Archiver or Concentrators services in the group should have the same group name.
SizeIt determines the number of Archiver or Concentrator services in the aggregation group.
Member NumberIt determines the position of the Archiver or Concentrator in the aggregation group. For a group of size N, member number from 0 to N-1 must be set on each of the Archiver or Concentrators services in the aggregation group.
For example: If the size of the aggregation group is 2, the member number of one of the Archiver or Concentrator service should be set to 0 and the member number of the other Archiver or Concentrator should be set to 1.
Membership Mode

There are two membership modes: New and Replace.
New: Adding a new Archiver or Concentrator service as a member to the existing aggregation group or creating an aggregation group. The Archiver or Concentrator service does not aggregate any existing sessions from the service as other members of the group would have already aggregated all the sessions on the service. This Archiver or Concentrator service will only aggregate new sessions as they appear on the service.
Replace: Replacing an existing aggregation group member. The Archiver or Concentrator will begin aggregation from the oldest session available on the service it is aggregating from.

Note: This parameter has an effect only when no sessions have been aggregated from the service. After some sessions are aggregated, this parameter has no effect.

Set up Group Aggregation

Complete the following procedure to set up group aggregation.

  1. Configure multiple Archiver or Concentrator services in your environment. For instructions, see the "Configure Archiver"topic in the RSA Security Archiver Configuration Guide or "Broker and Concentrator Configuration" topic in the RSA Security Analytics Broker and Configuration Guide.
    Make sure that you add the same Log Decoder as data source to all the services.
  2. Perform the following on all the Archiver or Concentrator services that you want to be part of aggregation group:

    1. In the Security Analytics menu, select Administration > Services.
    2. Select the Archiver or Concentrator service, and in the Actions column, select View > Config.
      The Device Config view of the Archiver or Concentrator is displayed.
    3. Under Aggregate Services section, select the Log Decoder device.
    4. Click to change the status of the Log Decoder to offline if it is online.
    5. Click .

      The Edit Aggregate Service dialog is displayed.

    6. Click group_aggregation_button.png

      The Edit Group Aggregation dialog is displayed.

    7. Select the Enabled checkbox and set the following parameters:

      In the Group Name field, type the group name.
      In the Size field, select the number of Archiver or Concentrator services in the aggregation group.
      In the Member Number field, select the position of the Archiver or Concentrator in the aggregation group.
      In the Membership Mode drop-down menu, select the mode.

    8. Click Save.
    9. In the Device Config View page, click Apply.
    10. Perform Step b to Step i on all other Archiver or Concentrator services that need to be part of group aggregation.
  3. In the Aggregation Configuration section, set Aggregate Max Sessions parameter set to 10000.

Previous Topic:Group Aggregation
You are here
Table of Contents > Configure Group Aggregation

Attachments

    Outcomes