I was wondering if there are any vms that have the broker built into the SA?
The standard OVA files separate the Broker service from the Security Analytics Server services.
I have heard of customers and engineers building their own "hybrid" appliances where the Concentrator and Decoder services run on the same virtual machine but we don't ship a Hybrid OVA.
There is no reason you could not install the Broker service on a virtual Security Analytics Server but you would want to size the virtual machine specifications appropriately. Of course, this would be a non-standard implementation of the virtual machines and you would have to run some mongo commands to register the Broker service. But this configuration would mimic the physical appliances so it should not require a great deal of effort to manage the appliance. Just mention it to Support when you open a ticket so they know the virtual machine is non-standard in this regard.
You could also purchase a separate virtual Malware appliance if you did not want to use the included, limited malware service included with the virtual Security Analytics Server appliance.
Hope that helps.
Why would you want to run the Broker VM joined up with SA Server versus separately?
I have not put this thought thru the ringer, but the main reason, would be resource utilization compared to the recommended minimum cpu and memory allocation for the SA head unit. I have not run any metrics, but without the overhead of the broker, it seems like the minimum specs are a bit much if the malware and reporting functions are not being utilized to the full potential.
I do see the benefits of being able to break it out and give more resources to the broker(s) based on the load.
Yes, thanks for answering the question. Ill see what SCOL has pertaining to mongo commands to register the broker. Thanks again.
Retrieving data ...