000032900 - How to set up and test a Failover Local Collector for a Remote Collector on RSA Security Analytics

Document created by RSA Customer Support Employee on Jun 30, 2016Last modified by RSA Customer Support on Jan 24, 2018
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000032900
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: SA Security Analytics Server, SA Log Collector
RSA Version/Condition: 10.5, 10.6
IssueYou can set up a Failover Local Collector that Security Analytics will fail over to if your primary Local Collector stops operating for any reason.
TasksFor 10.5 - https://sadocs.emc.com/0_en-us/089_105InfCtr/135_LCGds/10LCDG/10_LCDGProc/10_CnfgLCsRCs/10_PushtoLC/00_FailovrLC

For 10.6 - https://sadocs.emc.com/0_en-us/088_SA106/135_LCGds/10LCDG/10_LCDGProc/10_CnfgLCsRCs/10_PushtoLC/00_FailovrLC
After completing this procedure, you will have set up a destination made up of local collectors such that when the primary Local Collector is unreachable, the Remote Collector attempts to connect to each local collector in this destination until it makes a successful connection.
Once Failover is set up, please follow the steps under Resolution to test whether Failover is working on RSA Security Analytics Collector.

ResolutionFor Instance: When the Primary Local Collector goes down, make sure that Remote Collector sends the logs to the Standby Local Collector and switch back to Primary Local Collector automatically once it comes back online.
Please follow the below steps to test whether Fail over is working on RSA Security Analytics Collector.
      1. Login to Security Analytics GUI 
      2. Stop the "Primary Local Collector" service from Administrator --> Services --> Actions --> Stop 
      3. SSH to Primary Local Collector and Stop the rabbitmq service using below command :
service rabbitmq-server stop

      4. Navigate to the "Standby Local Collector" from Investigation module in SA UI and see if getting the logs from the Remote collector.
      5. SSH to Primary Local Collector and start the rabbitmq service using below command :-
service rabbitmq-server start

      6. Start the "Primary Local Collector" service from Administrator --> Services --> Actions --> Start
      7. Repeat vice-versa steps to be followed for Standby Local Collector.
Please follow the steps to make it balanced so that respective Remote Collectors send their logs to respective Local Collectors.
      1. SSH to Primary and Secondary Remote Collector
      2. Restart the collector and rabbitmq service using the below commands
restart nwlogcollector
service rabbitmq-server restart

If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article ID for further assistance.

Attachments

    Outcomes