You use Group Aggregation to configure multiple Archiver or Concentrator services as a group and share the aggregation tasks between them. You can configure multiple Archiver services or Concentrator services to efficiently aggregate from multiple Log Decoder services to improve query performance on the data:
- Stored in the Archiver.
- Processed through the Concentrator.
RSA Group Aggregation Deployment Recommendations
RSA recommends the following deployment for Group Aggregation:
- 1 - 2 Log Decoders
- 3 - 5 Archivers or Concentrators
Advantages of Using Group Aggregation
- Increases the speed of RSA NetWitness Platform queries.
- Improves the performance of aggregate queries (Count and Sum) on the environment.
- Enhances investigation service performance.
- Gives you the option of storing data for a longer duration for investigation purposes.
The following diagram illustrates Group Aggregation.
You can have any number of Archivers or Concentrators grouped together and form an aggregation group. The Archiver or Concentrator services in the group divide all the aggregated session between them based on the number of sessions defined in the Aggregate Max Sessions parameter.
For example, in an aggregation group containing two Archiver services or two Concentrator services with the Aggregate Max Sessions parameter, set to 10000 the services would divide the session between themselves as illustrated in the following table.
Configure Group Aggregation
Complete this procedure to configure multiple Archiver or Concentrator services as a group and share the aggregation tasks between them.
Plan the network design for group aggregation. The following figure is an example of a group aggregation setup.
Ensure that you understand the Group aggregation parameters in the following table, and create a group aggregation plan.
Set up Group Aggregation
This workflow shows the procedures you complete to configure group aggregation.
Complete the following steps to set up group aggregation.
- Configure multiple Archiver or Concentrator services in your environment. Make sure that you add the same Log Decoder as data source to all the services.
Perform the following on all the Archiver or Concentrator services that you want to be part of aggregation group:
- Go to Admin > Services.
Select the Archiver or Concentrator service, and in the Actions column, select View > Config.
The Service Config view of the Archiver or Concentrator is displayed.
- In the Aggregate Services section, select Log Decoder.
- Click to change the status of the Log Decoder to offline if it is online.
The Edit Aggregate Service dialog is displayed.
The Edit Group Aggregation dialog is displayed.
Select the Enabled checkbox and set the following parameters:
- In the Group Name field, type the group name.
- In the Size field, select the number of Archiver or Concentrator services in the aggregation group.
- In the Member Number field, select the position of the Archiver or Concentrator in the aggregation group.
- In the Membership Mode drop-down menu, select the mode.
- Click Save.
- In the Service Config View page, click Apply.
- Perform Step b to Step i on all other Archiver or Concentrator services that need to be part of group aggregation.
In the Aggregation Configuration section, set the Aggregate Max Sessions parameter set to 10000.