Ensure that you understand the Group aggregation parameters. For more information, see Group Aggregation Parameters.
Set up Group Aggregation
To set up group aggregation:
- Configure multiple Archiver or Concentrator services in your environment. For instructions, see Configure Archiver or Broker and Concentrator Configuration. Make sure that you add the same Log Decoder as data source to all the services.
Perform the following on all the Archiver or Concentrator services that you want to be part of aggregation group:
- In the Security Analytics menu, select Administration > Services.
- Select the Archiver or Concentrator service.
In the Actions column, select View > Config.
The Device Config View of the Archiver or Concentrator is displayed.
- Under Aggregate Services section, select the Log Decoder device.
- Click to change the status of the Log Decoder to offline if it is online.
The Edit Aggregate Service dialog is displayed.
The Edit Group Aggregation dialog is displayed.
- Select the Enabled checkbox.
- In the Group Name field, type the group name.
- In the Size field, select the number of Archiver or Concentrator services in the aggregation group.
- In the Member Number field, select the position of the Archiver or Concentrator in the aggregation group.
- In the Membership Mode drop-down menu, select the mode.
- Click Save.
- In the Device Config View page, click Apply.
Perform Step b to Step n on all other Archiver or Concentrator services that need to be part of group aggregation.
In the Aggregation Configuration section, set Aggregate Max Sessions parameter set to 10000.
The following figure illustrates Group Aggregation setup.