We are in the process of consolidating rules on master and slave sites and would like to have same views and rules on both sites. How can this be done? Are we going to get two alerts, since the rules are the same?
If the goal is simply to have copies of the rules on each site, that is easy enough. Just export the correlation rules from the first A-SRV then import them onto the second A-SRV.
If you don't want duplicate alerts to be triggered, then don't enable them on the second A-SRV
Would it help that we create device groups (one for Master one for Slave) and by doing so avoid two alerts being generated.
Sure, you could do that. Just make sure you include the device groups as part of your rule!
Retrieving data ...