Group Aggregation enables you to configure multiple Archiver or Concentrator services as a group and share the aggregation tasks between them. It allows multiple Archiver services or Concentrator services to efficiently aggregate from multiple Log Decoder services and provide better query performance on the data:
- stored in the Archiver
- processed through the Concentrator.
RSA Group Aggregation Deployment Recommendations
RSA recommends the following deployment for Group Aggregation:
- 1 - 2 Log Decoders
- 3 - 5 Archivers or Concentrator
Advantages of Using Group Aggregation
With Group Aggregation:
- Security Analytics query performance is faster.
- Aggregate queries (Count and Sum) perform better on the environment.
- Investigation performance is better than a service without group aggregation.
- You can store data for a longer duration for investigation purposes.
Note: To achieve the best performance, the total amount of data stored on the group of nodes should not increase compared to the amount of data stored on the original nodes. For example, if you had one node at 90% capacity then created a three-node group, and all three nodes were at 90% capacity, you would increase the storage, but the performance gain would be minimal.
The following diagram illustrates Group Aggregation.
You can have any number of Archivers or Concentrators grouped together and form an aggregation group. The Archiver or Concentrator services in the group divide all the aggregated session between them based on the number of sessions defined in the Aggregate Max Sessions parameter.
For example, in an aggregation group containing 2 Archiver services or 2 Concentrator services with the Aggregate Max Sessions parameter set to 10000 the services would divide the session between themselves as described:
|Archiver 0 or Concentrator 0||Archiver 1 or Concentrator 1|
|1 - 9,999||10,000 - 19,999|
|20,000 - 29,999||30,000 - 39,999|
|40,000 - 49,999||50,000 - 59,999|