Log Collection Deploy: Configure Failover Local Collector

Document created by RSA Information Design and Development on Jul 29, 2016
Version 1Show Document
  • View in full screen mode
 

After completing this procedure, you will have set up a destination made up of local collectors such that when the primary Local Collector is unreachable, the Remote Collector attempts to connect to each local collector in this destination until it makes a successful connection.

Return toProcedures.

Configure a Failover Local Collector

You can set up a Failover Local Collector that Security Analytics will fail over to if your primary Local Collector stops operating for any reason.

The following procedure explains how to set up a failover Local Collector.

  1. In the Security Analytics menu, select Administration > Services.
  2. Select a Remote Collector.
  3. Click under Actions and select View > Config to display the Log Collection configuration parameter tabs.
  4. Select the Local Collectors tab, select Destinations in Select Configuration drop-down menu, and click to display in Destination Groups to display the Add Remote Destinations dialog.
  5. Add a primary Local Collector.
  6. Edit the Remote Destination and add a standby Local Collector.
    Newly added primary and standby Local Collectors are displayed in the Local Collector tab.

Set Up a Failover Local Collector

  1. In the Security Analytics menu, select Administration > Services.
  2. In Services, select a Remote Collector.
  3. Click AdvcdExpandBtn.PNGunder Actions and select View > Config.
    The Service Config view is displayed with the Log Collector General tab open.
  4. Select the Local Collectors tab.
  5. In the Destination Groups panel section, select Icon-Add.png.
    The Add Remote Destination dialog displays.
  6. Set up a Destination Group and select a primary Local Collector (for example, LC-PRIMARY).  

StanbyAddPrimaryLC.png

  1. Select the Group (for example, Primary_Standby_LCs) in the Destination Groups panel and click icon-edit.png.
    The Group you selected is displayed in the Local Collectors panel.
  2. Add the Failover Local Collector (for example, LC-STANDBY).

    StanbyAddStandbyLC.png
    The following examples show the newly added primary and failover Local Collectors showing the primary Local Collector as Active and the Failover Local Collector as Standby. The active Local Collector is highlighted (for example, LC-PRIMARY).
    FailoverActStdby.png
  3. (Optional) Add, delete, and change the order of Local Collectors to each Remote Destination.
    1. Click Icon-Add.png to add a Log Collector as a failover Remote Destination.
    2. When connecting to a Remote Destination, the Remote Collector will attempt to connect to each Local Collector in this list in order, until it makes a successful connection.
    3. Select a Local Collector and use the  UpDownArrows.PNG (up and down arrow buttons) to change the order of connection. 
    4. Select one or more Local Collectors and click Icon_Delete_sm.png  to remove them from the list.

The selected Local Collectors are added to the Log Collector section. When the Remote Collector starts collecting data, it pushes data to these Log Collectors.

The following tab shows File as the only protocol selected.

RCSel1.png

The following tab shows all protocols selected. Security Analytics selects all protocols if you leave the Collections field blank.

RCSel2.png

Parameters

Reference - Remote/Local Collectors Configuration Parameters Interface

You are here: Log Collection Deployment Guide > Procedures > Configure Local and Remote Collectors > Configure Failover Local Collector

Attachments

    Outcomes