|Applies To||RSA Product Set: Security Analytics|
RSA Product/Service Type: SA Security Analytics Server, SA Log Collector
RSA Version/Condition: 10.5, 10.6
|Issue||You can set up a Failover Local Collector that Security Analytics will fail over to if your primary Local Collector stops operating for any reason.|
|Tasks||For 10.5 - https://sadocs.emc.com/0_en-us/089_105InfCtr/135_LCGds/10LCDG/10_LCDGProc/10_CnfgLCsRCs/10_PushtoLC/00_FailovrLC|
For 10.6 - https://sadocs.emc.com/0_en-us/088_SA106/135_LCGds/10LCDG/10_LCDGProc/10_CnfgLCsRCs/10_PushtoLC/00_FailovrLC
|Resolution||For Instance: When the Primary Local Collector goes down, make sure that Remote Collector sends the logs to the Standby Local Collector and switch back to Primary Local Collector automatically once it comes back online.|
Please follow the below steps to test whether Fail over is working on RSA Security Analytics Collector.
1. Login to Security Analytics GUI
2. Stop the "Primary Local Collector" service from Administrator --> Services --> Actions --> Stop
3. SSH to Primary Local Collector and Stop the rabbitmq service using below command :
service rabbitmq-server stop
4. Navigate to the "Standby Local Collector" from Investigation module in SA UI and see if getting the logs from the Remote collector.
5. SSH to Primary Local Collector and start the rabbitmq service using below command :-
service rabbitmq-server start
6. Start the "Primary Local Collector" service from Administrator --> Services --> Actions --> Start
7. Repeat vice-versa steps to be followed for Standby Local Collector.
Please follow the steps to make it balanced so that respective Remote Collectors send their logs to respective Local Collectors.
1. SSH to Primary and Secondary Remote Collector
2. Restart the collector and rabbitmq service using the below commands
service rabbitmq-server restart
If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article ID for further assistance.