Host GS: The Basics

Document created by RSA Information Design and Development Employee on Mar 21, 2017
Version 1Show Document
  • View in full screen mode

A host is the machine on which a service runs and a host can be a physical or virtual machine.

A service performs a unique function, such as collecting logs or archiving data. Each service runs on a dedicated port and is modeled as a plugin to enable or disable, according to the function of the host.

You must configure the following Core services first: 

  • Decoder
  • Concentrator
  • Broker
  • Log Decoder

All the services are listed below and each service except the Log Collector has its own guide or shares a guide in the Host and Services Configuration Guides. The Log Collector has its own set of configuration guides to handle the configuration for all the supported event collection protocols. For Log Collector information, see Log Collection Guides.

  • Archiver
  • Broker
  • Concentrator
  • Decoder
  • Event Stream Analysis
  • Context Hub
  • Incident Management
  • IPDB Extractor
  • Log Collector
  • Log Decoder
  • Malware Analysis
  • Reporting Engine
  • Warehouse Connector
  • Workbench

You must configure hosts and services to communicate with the network and each other so they can perform their functions such as storing or capturing data. 

Maintaining Hosts

You use the Host view to add, edit, delete, and perform other maintenance tasks for the hosts in your deployment. See:

After your initial implementation of Security Analytics, the major task you perform from the Host view is updating your Security Analytics deployment to a new version.

Update Version Naming Convention

You use the Hosts view to apply the latest version updates from your Local Update Repository (see the Manage Security Analytics Updates topic in System Maintenance for more information on your Local Update Repository). You must understand the update version naming convention to know which version you want to apply to the host. The naming convention is major-release.minor-release.service-pack.patch. For example, if you choose, you would be applying the following version to the host.

  • 10 = major release
  •   6 = minor release
  •   1 = service pack
  •   2 = patch

Updating a Host Version

You use the Hosts view to update a host to a new version. The following example illustrates how to do this. When there are version updates available for a host, Update Available is displayed in the Status column and you choose the update from the Select Version column. See Apply Updates for detailed instruction on how to apply a new version update to a host.

Note: If you cannot find a version, you may need to populate your local update repository. For more information, see the Populate Local Update Repository topic in System Maintenance.


 1  Select the version from the Update Version column.

Note: You can only update to the latest minor release or a patch.


Select the host, or hosts, that you want to update.

  • The Security Analytics (SA) Server Host must be updated to the latest version in your deployment before you can apply that version to any other host.
  • If you select multiple hosts for an update, Security Analytics updates the SA Server Host first.
  • If you try to update one or more hosts other than the SA Server Host to the latest version in your deployment before the SA Server Host, Security Analytics will not allow you to do this.
  • If a host is currently on a version that is not a valid update path, Security Analytics tells you to contact Customer Care for instructions on how to update the host to a valid path.

Note: If you have conflicts updating any of the non-SA Server hosts, the SA Server Host remains grayed out until other host conflicts are resolved.

 3  Click Update to start the update process.

Monitor monitor the progress of the update in the Status column. During the update process, Security Analytics:

  1. Downloads the update package for the selected version if that package does not exist in your Local Update Repository.
  2. If you select multiple hosts to update, displays In Queue for Update while it applies the version to each host.
  3. Displays Running Pre-Update Checks while it validates your current version configuration. 
  • Displays Update warning. View details if there is an issue in your existing configuration that does not prevent you from updating to the new version.
  • Displays Update conflict. View details if there is a conflict in your existing configuration that blocks you from updating to the new version. 

See Troubleshooting 10.6 Pre-Update and Update Warnings, Conflicts, and Errors for instructions on how to resolve these configuration warnings and conflicts.

  1. Initiates the update if there are no conflicts.
  2. Applies each package for the selected update version.
  3. Monitors the update. If there is an error that blocks the update, Security Analytics displays Update error. View details. See Troubleshooting 10.6 Pre-Update and Update Warnings, Conflicts, and Errors for instructions on how to resolve these errors.
  4. Prompts you to Reboot Host after the host has been updated.

Click Reboot Host.

  • When you are updating multiple hosts, after each host is updated and running, Security Analytics displays Up-to-Date.
  • If the host is updated, but all the services are not restarted after reboot, Security Analytics displays the services in red. Services may take several minutes to come online. Contact Customer Care if the host does not come back online.

Deploying Multiple Versions

Security Analytics supports multiple versions in your deployment. The Security Analytics (SA) Server Host is updated first and all other hosts must have the same or earlier version as the SA Server Host.

Note: The Hosts view ensures that the SA Server Host is updated first and that all other hosts have the same or earlier version as the SA Server Host.

In the following example of a multiple version deployment.

  • Version updates currently available in your Local Update Repository are and for the Broker, LC/LD, and Log Decoder hosts.
  • The SA Server Host and all the other hosts are currently updated to 10.6.1.

This means that you have the option to update the Broker, LC/LD, and Log Decoder hosts to or


Maintaining Services

You use the Services view to add, edit, delete, monitor, and perform other maintenance tasks for the services in your deployment. See Service Procedures for detailed instructions on the tasks you perform from the Hosts view.

You are here
Table of Contents > The Basics