of 21/21
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Building a high availability ArcSight solution Paul Brettle – Presales Manager, Americas Pacific Region #HPProtect

Building a high a vailability ArcSight solution · Analysts will leverage the ArcSight Console or a web browser to access the Global or Regional ESM and Logger Instances

  • View
    223

  • Download
    3

Embed Size (px)

Text of Building a high a vailability ArcSight solution · Analysts will leverage the ArcSight Console or a...

  • Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

    Building a high availability ArcSight solution Paul Brettle Presales Manager, Americas Pacific Region #HPProtect

  • Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 3

    What is high availability?

    High availability system design approach and associated service implementation that ensures a prearranged level of operational performance will be met during a contractual measurement period. 1. Elimination of single points of failure. This means adding redundancy to the system so that failure of a

    component does not mean failure of the entire system. 2. Reliable crossover. In multithreaded systems, the crossover point itself tends to become a single point of

    failure. High availability engineering must provide for reliable crossover. 3. Detection of failures as they occur. If the two principles above are observed, then a user may never see a

    failure. But the maintenance activity must.

  • Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 4

    What is disaster recovery?

    Disaster recovery (DR) involves a set of policies and procedures to enable the recovery or continuation of vital technology infrastructure and systems following a natural or human-induced disaster. [1] Disaster recovery focuses on the IT or technology systems supporting critical business functions

    Critical differentiation What do I need? How do I approach it? What is the minimum that I will accept?

  • Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 5

    But what is high availability?

    Understand what is required, approach and differences Data Systems Usage Resilience Processing

    Understand differences between hot, warm, and cold!

  • Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 6

    Prioritize and organize

    What are the drivers for this? Regulation? Legislation? Compliance? Good governance/best practice?

    Start examining the critical components Look at systems, processes and models to assist you More on this later!

  • Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 7

    What do I get by default?

    Communications Reliable communications

    Cache Built in once collected for all SmartConnectors

    Commit Commit model for storage of data (SmartConnector -> ESM)

    Recovery Archive files

    Hardware Dual power supply, reliable hardware, hot swap components and storage

  • Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 8

    ArcSight Architecture

    Enriched events from ESM will be forwarded to Logger for long-term event storage.

    Events from all SmartConnectors will be

    forwarded to the ESM Instance.

    Analysts

    Analysts will leverage the ArcSight Console or a web browser to access ESM, Logger, and CA.

    Connector Appliance (Optional)

    SmartConnectors

    All SmartConnectors are managed remotely via the ArcSight Connector Appliance or ESM Manager.

    ArcSight Logger Instance

    SAN (Optional)

    Logger

    ArcSight ESM Instance

    Database SAN Manager

    ArcSight ArcSight ArcSight

  • Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 9

    ArcSight Architecture

    Events of interest will be forwarded from Logger to ESM for real-time correlation. Correlated events will be forwarded back to Logger for long-term storage.

    Events from all SmartConnectors will be forwarded to separate Loggers for load balancing purposes.

    ArcSight Logger Instances (2+)

    Loggers are configured in a Peer Network. Analysts

    Analysts will leverage the ArcSight Console or a web browser to access ESM, Logger, and CA.

    Connector Appliance

    ArcSight ArcSight ArcSight

    SmartConnectors

    ArcSight ArcSight ArcSight ArcSight ArcSight ArcSight

    SmartConnectors SmartConnectors

    All SmartConnectors are managed remotely via the ArcSight Connector Appliance.

    ArcSight ESM Instance

    Database SAN Manager

    AUP Master

    AUP Master

    Logger Logger

  • ArcSight Architecture

    Global ESM Instance

    Database SAN Manager Analysts

    Analysts will leverage the ArcSight Console or a web browser to access the Global or Regional ESM and Logger Instances.

    Correlated and the base events will be forwarded from each Regional ESM Instance to the Global ESM Instance for Global Correlation.

    Globally correlated and base events will be forwarded from the Global ESM Instance to Logger for long-term storage.

    All SmartConnectors are managed remotely via the ArcSight Connector Appliance.

    Loggers can be configured in a Peer Network for a holistic view of all events in the environment.

    Events from all SmartConnectors

    will be forwarded to the Regional ESM

    Instances.

    Events from all SmartConnectors

    will be forwarded to the Regional ESM

    Instances.

    ArcSight Logger Instances

    Logger (Optional) Connector Appliance (Optional)

    Events of interest will be forwarded

    from Logger to ESM for real-time correlation.

    Correlated events will be forwarded back to Logger for long-term storage. ArcSight Logger Instances

    Loggers Connector Appliance

    ArcSight Logger Instances

    Loggers Connector Appliance

    ArcSight Logger Instances

    Loggers Connector Appliance

    Events of interest will be forwarded

    from Logger to ESM for real-time correlation.

    Correlated events will be forwarded back to Logger for long-term storage.

    Regional ESM Instance

    Database SAN Manager

    Regional ESM Instance

    Database SAN Manager

    Regional ESM Instance

    Database SAN Manager

    ArcSight ArcSight ArcSight ArcSight ArcSight ArcSight

    SmartConnectors SmartConnectors

    ArcSight ArcSight ArcSight ArcSight ArcSight ArcSight

    SmartConnectors SmartConnectors

    ArcSight ArcSight ArcSight ArcSight ArcSight ArcSight

    SmartConnectors SmartConnectors

  • Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 11

    Connector layer

    Push connector type Load balanced Needs consistency Typically used for

    Syslog Large volumes

    ArcSight Logger/Express/ESM

    Node 1 Node 2 Session information

    shared for load balancing only.

    Here a two-node load balancing solution can be deployed. The load balancing system can be used to spread the load between two or more nodes for processing. There is no need for clustering here as we simply want to process the logs and events and this represents the most efficient method to do this.

    Each SmartConnector forwards on the encrypted, compressed and processed events to the ArcSight solution.

    The source devices send their logs and events directly to the load balancing IP address using their native protocol, such as Syslog.

  • Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 12

    Connector layer

    Pull connector type Log messages not lost Active HA needed

    Require consistency

    Typically not implemented Two-node active/passive cluster for the SmartConnector. Should the active node fail for any reason, the passive node can continue where it left off. Since the shared disk is used, all current events are processed with no loss or duplication.

    SmartConnector forwards on the encrypted, compressed and processed events to the ArcSight solution.

    SmartConnector connects to the sources directly from the active node. All processing is done by the active node but state information stored on shared drive.

    ArcSight Logger/Express/ESM

    Shared disk

    Passive node

    Active node

  • Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 13

    Log storage layer

    Dual feed strategy Duplicate in two Loggers No replication needed

    Logger DR site Main Logger

    Connector Connector receives/pulls the events and forwards on to configured Loggers.

    Devices send/receive their logs and events to and from the Connector in their native formats as required. Typically this will be via Syslog, which uses UDP.

  • Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 14

    Log storage layer

    Warm standby model Backup configuration Access archives Provide cache at connectors

    Main Logger Configuration restored to access stored data and assume role of main Logger.

    Devices send/receive their logs and events to and from the shared IP in their native formats as required. Typically this will be via Syslog, which uses UDP.

    Storage device used for archived daily logs. Secondary Logger can retrieve archives as necessary.

    Logger DR site

  • Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 15

    Log storage layer

    Most effective solution Dual feed and dual archive

    Easy to restore Little impact No replication needed

    Be aware of network Connector

    Remote site

    Connector

    Loggers auto-archive to storage system for resilient

    long-term storage. Connector receives/pulls the

    events and forwards on to configured Loggers.

    Devices send/receive their logs and events to and from the Connector in their native formats as required. Typically this will be via Syslog, which uses UDP.

    Logger DR site Main Logger

  • Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 16

    Correlation layer

    ESM with Oracle Simple fail-over to single DB Use commercial solutions Tried and trusted

    Replicate database Several technologies available

    Fail-over manager starts Console re-connects

    ArcSight Console Oracle database

    Heartbeat

    Fail-over Manager

    Primary Manager

    Here a primary Manager is used as the single processing server for the correlation etc. of the ESM solution. All communications to the database come from the single primary Manager.

  • Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 17

    Correlation layer

    ESM with CORRe No one single DB Need to replicate DB Consider options

    Consider ESM/Express Look at options Work out difference

    HA or DR

    CORR database

    Fail-over Manager

    CORR database

    Primary Manager

    ArcSight Console

    Replication

  • Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 18

    Options?

    Hardware Power Disk Network

    Software HA/fail-over/cluster software

    Operating system HA/fail-over/cluster software

    Virtualization Dont forget what you can get here Usually a cost option

  • Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 19

    Summary

    Lots of options Consider what is needed and how to address

    HA deployed at a lot of customers Using in-built and external technologies

    Only as strong as weakest link Plan and understand issues

  • Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 20

    Please fill out a survey. Hand it to the door monitor on your way out.

    Thank you for providing your feedback, which helps us enhance content for future events.

    Session TT3058 Speaker Paul Brettle

    Please give me your feedback

  • Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

    Thank you

  • Building a high availability ArcSight solutionWhat is high availability?What is disaster recovery?But what is high availability?Prioritize and organizeWhat do I get by default?ArcSight ArchitectureArcSight ArchitectureArcSight ArchitectureConnector layerConnector layerLog storage layerLog storage layerLog storage layerCorrelation layerCorrelation layerOptions?SummaryPlease give me your feedbackThank youSlide Number 22