NetWitness Community

KhwajaZiaulHasa · ‎2015-08-10

Hello,

I am a little bit confused in All-in-one appliances. If we have a requirement that we need a logs as well as a Packets solution, and EPS and Mbps requirements are not that high. In that situation will we go with two separate All-in_one boxes including the ESA or will we have to get two separate Hybrid boxes (one for Packets and the other for Logs), a broker, an ESA and an Application Server box?

I am confused because if we go with two All-in-one boxes they will be two different solutions, and how will they be integrated without a broker?

Can you please suggest that which option is a better option?

Thanking You

Zia

AnuragSinha · ‎2015-08-10

Hi Zia,

AIO runs all the Security Analytics service( SARE, Concentrator, Decoder) , Hybrid only has Concentrator and Decoder or log decoder.In both the setup you will have to take 2 different setups, i.e. one for log and other for packets.

With AIO it will indeed be a 2 different solution and cannot be integrated together. With hybrid you can have the log and packet ( Hybrid ) integrated in one SA server and the correlation can be carried out on one ESA appliance. So Hybrid will be the better solution in your scenario.

Thanks,

Anurag.

View solution in original post

AnuragSinha · ‎2015-08-10

Hi Zia,

AIO runs all the Security Analytics service( SARE, Concentrator, Decoder) , Hybrid only has Concentrator and Decoder or log decoder.In both the setup you will have to take 2 different setups, i.e. one for log and other for packets.

With AIO it will indeed be a 2 different solution and cannot be integrated together. With hybrid you can have the log and packet ( Hybrid ) integrated in one SA server and the correlation can be carried out on one ESA appliance. So Hybrid will be the better solution in your scenario.

Thanks,

Anurag.

KhwajaZiaulHasa · ‎2015-08-10

Hi Anurag,

Thanks for your response. It made me clear on what I was confused on.

But as you mentioned that log and packet (Hybrid) will be integrated with the one SA Server. So to integrate these with the one SA Server, will I need a Broker appliance as well?

Regards

Zia

AnuragSinha · ‎2015-08-10

Broker service will be running on the SA head appliance. So you can aggregate from both the hybrid appliance from one SA appliance.

Thanks,

Anurag

KhwajaZiaulHasa · ‎2015-08-11

Hi Anurag,

Thanks for your response. It has solved my confusion.

Regards

Zia

Anonymous · ‎2015-09-16

So in that case you don't need to purchase any broker, their is a option on the SA appliance itself that you can run a broker service on it.

Just only you need to do is to contact to support to get the rpms of broker and then go ahead in it.

That's it..

Regards,

Deepanshu Sood

Sent by LG G3

From:"khwajazia" <emc-community-network@emc.com>

Date:Wed, 16 Sep, 2015 at 16:14

Subject:[RSA Security Analytics] - RSA Security Analytics All-in-One for Packets and Logs

ECN

RSA Security Analytics All-in-One for Packets and Logs

created by khwajazia in RSA Security Analytics - View the full discussion

Hello,

I am a little bit confused in All-in-one appliances. If we have a requirement that we need a logs as well as a Packets solution, and EPS and Mbps requirements are not that high. In that situation will we go with two separate All-in_one boxes including the ESA or will we have to get two separate Hybrid boxes (one for Packets and the other for Logs), a broker, an ESA and an Application Server box?

I am confused because if we go with two All-in-one boxes they will be two different solutions, and how will they be integrated without a broker?

Can you please suggest that which option is a better option?

Thanking You

Zia

Reply to this message by replying to this email, or go to the message on ECN Start a new discussion in RSA Security Analytics by email or at ECN Following RSA Security Analytics in these streams: Inbox

Anonymous · ‎2015-09-16