A host is the machine on which a service runs and a host can be a physical or virtual machine.
A service performs a unique function, such as collecting logs or archiving data. Each service runs on a dedicated port and is modeled as a plugin to enable or disable, according to the function of the host.
You must configure the following Core services first:
- Decoder
- Concentrator
- Broker
- Log Decoder
All the services are listed below and each service except the Log Collector has its own guide or shares a guide in the Host and Services Configuration Guides. The Log Collector has its own set of configuration guides to handle the configuration for all the supported event collection protocols. For Log Collector information, see Log Collection Guides.
- Archiver
- Broker
- Concentrator
- Decoder
- Event Stream Analysis
- Context Hub
- Incident Management
- IPDB Extractor
- Log Collector
- Log Decoder
- Malware Analysis
- Reporting Engine
- Warehouse Connector
- Workbench
You must configure hosts and services to communicate with the network and each other so they can perform their functions such as storing or capturing data.
Maintaining Hosts
You use the Host view to add, edit, delete, and perform other maintenance tasks for the hosts in your deployment. See:
- Host Setup Procedures - minimum tasks you must complete to set up a host in Security Analytics.
- Host Maintenance Procedures - host maintenance tasks that you perform from the Hosts view.
- Host Procedures from the Task List Dialog - tasks relating to a host and its communications with the network that you perform from the Task List dialog.
After your initial implementation of Security Analytics, the major task you perform from the Host view is updating your Security Analytics deployment to a new version.
Update Version Naming Convention
You use the Hosts view to apply the latest version updates from your Local Update Repository (see the Manage Security Analytics Updates topic in System Maintenance for more information on your Local Update Repository). You must understand the update version naming convention to know which version you want to apply to the host. The naming convention is major-release.minor-release.service-pack.patch. For example, if you choose 10.6.1.2, you would be applying the following version to the host.
- 10 = major release
- 6 = minor release
- 1 = service pack
- 2 = patch
Updating a Host Version
You use the Hosts view to update a host to a new version. The following example illustrates how to do this. When there are version updates available for a host, Update Available is displayed in the Status column and you choose the update from the Select Version column. See Apply Updates for detailed instruction on how to apply a new version update to a host.
Note: If you cannot find a version, you may need to populate your local update repository. For more information, see the Populate Local Update Repository topic in System Maintenance.
1 | Select the version from the Update Version column.
Note: You can only update to the latest minor release or a patch. |
2 | Select the host, or hosts, that you want to update.
Note: If you have conflicts updating any of the non-SA Server hosts, the SA Server Host remains grayed out until other host conflicts are resolved. |
3 | Click Update to start the update process. |
4 | Monitor monitor the progress of the update in the Status column. During the update process, Security Analytics:
See Troubleshooting 10.6 Pre-Update and Update Warnings, Conflicts, and Errors for instructions on how to resolve these configuration warnings and conflicts.
|
5 | Click Reboot Host.
|
Deploying Multiple Versions
Security Analytics supports multiple versions in your deployment. The Security Analytics (SA) Server Host is updated first and all other hosts must have the same or earlier version as the SA Server Host.
Note: The Hosts view ensures that the SA Server Host is updated first and that all other hosts have the same or earlier version as the SA Server Host.
In the following example of a multiple version deployment.
- Version updates currently available in your Local Update Repository are 10.6.1.0 and 10.5.1.4 for the Broker, LC/LD, and Log Decoder hosts.
- The SA Server Host and all the other hosts are currently updated to 10.6.1.
This means that you have the option to update the Broker, LC/LD, and Log Decoder hosts to 10.6.1.0 or 10.5.1.4.
Maintaining Services
You use the Services view to add, edit, delete, monitor, and perform other maintenance tasks for the services in your deployment. See Service Procedures for detailed instructions on the tasks you perform from the Hosts view.