This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Concentrator vs. Archiver

TomiReiman
Beginner
Beginner

‎2016-05-13 07:04 AM

Is it possible to deploy a SA ecosystem with zero concentrators? My suggestion/use case would be the following:

 

  • n log decoders,
  • 1 archiver
  • 1 broker

 

First of all, am I able to aggregate sessions from multiple log decoders should n > 1? Second, would I be able to minimize storage requirements this way, since I would not have store a long-term packetdb on the log decoder, because archiver stores raw logs as well? Third, is the broker necessary? I included it only because if one manually navigates to Investigate - at least in 10.5.1 - the service selection for investigation does not include archivers (however, choosing investigate for an archiver IS possible at least via the services dashlet, which is included in the default dashboard).

 

Basically I can only think of the drawback that with archiver I am not able to separate the index onto SSDs even if I wanted to. Are there really any other downsides to going with an archiver instead of a concentrator? I am of course presuming that the performance setback of the compression is accepted as part of the solution.

0 Likes
1 REPLY 1

LeeKirkpatrick
Valued Contributor Valued Contributor
Valued Contributor

‎2016-05-17 06:34 AM

Hey Tomi,

 

1) This is possible.

2) Yes, you can aggregate from multiple Log Decoders using only one Archiver. But this depends on EPS ingestion rates of the Log Decoder(s) as well as customisations such as heavy parsing, Feeds, warehouse connector, etc.

3) Correct, the Archiver will store RAW logs and metadata (but remember, by default an Archiver will not index as much metadata as a Concentrator would)

4) It would be recommended to have the Broker for investigation purposes, this also allows for the system to scale. You would also need an SA Server in order to configure, license and administer the appliances

 

 

It really depends upon your use case(s), if the system is just to run reports this could be a solution. But for analysing data in near real-time a Concentrator is they way forward, the index sits on the SSD's you mentioned and allows for fast ad-hoc queries that the Archiver cannot deliver at the same speed due to compression of the data and using HDD's.

 

ESA appliances are also set to consume from the Concentrator appliances, so if wanting to perform advanced correlation with an ESA, a Concentrator would be required.

 

Cheers,

Lee

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.