2017-04-11 03:56 AM
I am interested in whether someone has found a robust solution for creating fault-tolerant log collection in their NetWitness Logs architecture. What I usually see are recommendations to configure a VLC to fail over to a second Log Decoder (Local Log Collector) in case of a failure, but this does not solve the issue that whenever I have problem with the VLC itself or when I want to upgrade the VLC, there will be nothing accepting the incoming logs.
We have tried to circumvent this by using an F5 load balancer in front of the VLCs, but if and when we would prefer to use TCP for Syslog forwarding where possible, we would lose the actual device.ip, which gets replaced by that of the F5 SNAT IP. As you might image, losing the real device.ip will then lead to all sorts of problems with ESM etcetera.
Has anyone found a decent solution (besides using UDP and an external load balancer) for this problem?
2017-04-11 04:07 AM
Just found this ealier post: VLC Failover without using a third-party load balance solution. This might actually be what I am looking for. Still eager to hear about any experiences on that or anything else regarding this issue as well.
2017-04-11 03:28 PM
Tom -
I spoke with an RSA resource psGMi56HbaehtdgCfBAG3odxAUvR7AXvWAoBnEVSrTM= about the potential to do HA/load balancing for log collection and perhaps he can add his expertise directly in this thread.
I've tested using an F5 VIP for UDP syslog and as you mentioned it works great, however for TCP we have that SNAT problem.
Instead we're looking at creating a round-robin Infoblox record to keep all the destination collector IP's in one A record and then just cycle through them as requested. A few problems and benefits of this approach.
PRO
CON
Keep in mind I haven't tested the round-robin DNS record method yet, it just will provide enough benefit with little impact that we're going to explore it some more.
2017-04-12 11:15 AM
This could work and would be a no/low cost solution, however, what measures are in place to ensure the hosts in that 'DNS pool" are available? What happens (how does InfoBlox handle) when one of the pool members is down?
2017-06-21 01:11 PM
You're right Naushad, there is nothing infoblox does from a health perspective. I'd have to MANUALLY go update the round-robin A record and remove hosts that are down.