2017-05-08 09:16 AM
Friends,
Seeking your valuable inputs here..!
We have pair of VLC/Decoder/Concentrator/Archiver for one of the customer site, So actually which device will be interacting with #Archiver? and which all would be with #SAN?
Secondly customer would like to complete POST & Burn-In test before actually starting deployment, Do we have these things documented somewhere? Do we use any external tools to do so?
Thanks in advance.
2017-05-08 09:25 AM
The Archiver only pulls data from the Decoder. It does not need access to the Concentrator or the VLC. I have not seen documentation on POST and burn-in so I can't help there.
2017-05-08 09:42 AM
Hi Pavan,
As Sean mentioned, Logdecoder is the data source for Archiver. Also, Archiver is data source to Reporting.
RSA recommends DAC for additional storage for Netwitness appliances. Run nwraidutil.pl command in putty console. If Adapter 1 has physical disks, then it must have additional storage. Some customers prefer adding SAN instead DAC.
In case if you need, the documents in https://community.rsa.com/community/products/netwitness/hardware-setup-guides help for initial Hardware Setup and installation procedure for each appliance.
2017-05-08 11:12 AM
Hi Pawan,
First of all you should know the traffic flow In SIEM language we will say “Log Traversal”:
A simple example will be:
VLC > Log Decoder/Decoder > Log Concentrator/ Concentrator > Broker
Secondly customer would like to complete POST & Burn-In test before actually starting deployment, Do we have these things documented somewhere? Do we use any external tools to do so?
“We have pair of VLC/Decoder/Concentrator/Archiver for one of the customer site, So actually which device will be interacting with #Archiver?”
Archiver will only takes input only from Decoders: Just go to Archiver config and attach your Decoder whith archiver, it will keep all Mata data as an archive for long term and if you need it later.
https://community.rsa.com/docs/DOC-45706 --follow this for Archiver backing up options.
And which all would be with #SAN? What I believe is you should attach a extra Storage with
Your Concentrator Decoder and of course with Archiver, but it will depend upon you that how long you want to keep your logs according to your Log retention policy. And my suggestion is that you should contact to support and ask them that what main partitions in decoder and concentrator are those I should have a big storage,
As I have session index and packetdb has most of the storage allotted on decoder
And Meta Index and Session on Concentrator,
you have to calculate the partition size for log retentions.
For this my only suggestion is that you should start capturing logs one by one, like first start windows collection than start syslog, than any firewall logs, Same time monitor EPS rate otherwise you will soon crash your devices, due to flood of logs. I hope you have already integrated all event sources those will send logs to you SIEM, if not you still have long run to go. Because only after that your POST & burn in test which will be a bench marking test will be possible.
Keep monitoring the EPS Rate, any continue learning.