AnsweredAssumed Answered

How to configure HA log collection?

Question asked by Tomi Reiman on Apr 11, 2017
Latest reply on Jun 21, 2017 by KEVIN DIENST

I am interested in whether someone has found a robust solution for creating fault-tolerant log collection in their NetWitness Logs architecture. What I usually see are recommendations to configure a VLC to fail over to a second Log Decoder (Local Log Collector) in case of a failure, but this does not solve the issue that whenever I have problem with the VLC itself or when I want to upgrade the VLC, there will be nothing accepting the incoming logs.

 

We have tried to circumvent this by using an F5 load balancer in front of the VLCs, but if and when we would prefer to use TCP for Syslog forwarding where possible, we would lose the actual device.ip, which gets replaced by that of  the F5 SNAT IP. As you might image, losing the real device.ip will then lead to all sorts of problems with ESM etcetera.

 

Has anyone found a decent solution (besides using UDP and an external load balancer) for this problem?

Outcomes