How does an ESA behave after recovering from outage? (resuming aggregation)
What happens if ESA stops aggregation then resume after some time for any reason, e.g., service stopped/appliance rebooted/source device outage/upgrade, etc.?
Does ESA resumes aggregation from where it left, or just starts aggregation from the current time, or is it configurable?
The main concern is about the possibility of missing ESA alerts during planned/unplanned outage.
- Community Thread
- Forum Thread
- RSA NetWitness
- RSA NetWitness Platform
Since aggregation is done from either concentrator or decoder, then when a service restart is done on ESA, when it comes up it will pick up where it left.
Just as concentrator does when aggregating from decoder.