Broker: Step 3. Configure Aggregate Services

Document created by RSA Information Design and Development on Jun 26, 2017
Version 1Show Document
  • View in full screen mode
  

This topic introduces tasks related to data aggregation on Brokers and Concentrators. For information on creating group aggregation, see Configure Group Aggregation. in the Deployment Guide.

Configuring the aggregate services (whose data is consumed and aggregated) includes:

  • Adding, editing, and deleting Concentrators and Decoders as aggregate services
  • Toggling an aggregate service online and offline

Procedures

Add Aggregate Services to a Broker or Concentrator

  1. In the Security Analytics menu, select Administration > Services.
  2. In the Administration Services view, select a Broker or Concentrator, and select Actions menu cropped  > View > Config.
    The Services Config view for the selected service is displayed.
    broker_srv.png
  3. Click Icon-Add.png in the Aggregate Services toolbar.
    The Available Services dialog is displayed.
    BrkrAvailSvs.png
  4. Select one or more services to be added and click OK.
    The added services are listed in the Aggregate Services grid. 
    AggSvs-C.png
  5. To save the changes, click Apply.

Remove Aggregate Services from a Broker or Concentrator

Note: This option applies only to offline services. If the aggregate service is online, you must first toggle the service offline.

  1. In the Aggregate Services grid, select one or more services.
  2. Click Icon_Delete_sm.png in the toolbar.
    The service is removed from Aggregate Services grid. 
  3. To save the change, click Apply.

Edit Aggregate Services on a Concentrator

Note: This option applies only to offline services. If the aggregate service is online, you must first toggle the service offline.

You can limit the data being consumed from an aggregate service using meta fields and filters. To configure this:

  1. In the Aggregate Services grid, select one or more services.
  2. Click icon-edit.png in the toolbar.
    • If the service was added on a different instance of Security Analytics, you must add it to this instance of Security Analytics in order to edit. A warning dialog offers the opportunity to add the service. If you click Yes, the Add Service dialog is displayed.
    • If the service is online, a dialog notifies that the service must be offline and requests confirmation that you want to continue. If you click Yes, Security Analytics takes the service offline and the Edit Aggregate Service dialog is displayed.
    • If the service is offline, the Edit Aggregate Service dialog is displayed with the editable properties for an aggregate service on a Concentrator.
      104AggEdit.png
  3. Click a type of metadata in the Meta Include tab to select the type of metadata for the Concentrator to consume from this service.
  4. To specify a rule to filter data that the Concentrator consumes from this service, compose a rule in the Meta Filter tab. 
  5. Click Close.
    The Edit Aggregate Service dialog closes and the changes are shown in the Aggregate Services grid. In this example, two meta were selected on the Meta Include tab. When you click the information icon in the Meta Include field, it shows the selections. 
  6. To save the changes, click Apply.

Toggle Service

When data aggregation starts, Brokers and Concentrators consume data from aggregate services that are online. When first added to a Broker or Concentrator, aggregate services are offline. To toggle a service between online and offline:

  1. Select a service in the Aggregate Services grid.
  2. Click 104ToggleServ.png.
    The status is changed.
You are here
Table of Contents > Broker and Concentrator Configuration > Step 3. Configure Aggregate Services

Attachments

    Outcomes