Step 4. (Optional) Configuring Group Aggregation

You use Group Aggregation to configure multiple Archiver or Concentrator services as a group and share the aggregation tasks between them. You can configure multiple Archiver services or Concentrator services to efficiently aggregate from multiple Log Decoder services to improve query performance on the data:

  • Stored in the Archiver.
  • Processed through the Concentrator.

RSA Group Aggregation Deployment Recommendations

RSA recommends the following deployment for Group Aggregation:

  • 1 - 2 Log Decoders
  • 3 - 5 Archivers or Concentrators

Advantages of Using Group Aggregation

  • Increases the speed of NetWitness queries.
  • Improves the performance of aggregate queries (Count and Sum) on the environment.
  • Enhances investigation service performance.
  • Gives you the option of storing data for a longer duration for investigation purposes.

The following diagram illustrates Group Aggregation.

netwitness_grpagg_261x600.png

You can have any number of Archivers or Concentrators grouped together and form an aggregation group. The Archiver or Concentrator services in the group divide all the aggregated sessions between them based on the number of sessions defined in the Aggregate Max Sessions parameter.

For example, in an aggregation group containing two Archiver services or two Concentrator services with the Aggregate Max Sessions parameter set to 10,000, the services would divide the session between themselves as illustrated in the following table.

Archiver 0 or Concentrator 0 Archiver 1 or Concentrator 1
1 - 9,999 10,000 - 19,999
20,000 - 29,999 30,000 - 39,999
40,000 - 49,999 50,000 - 59,999

Configure Group Aggregation

Complete this procedure to configure multiple Archiver or Concentrator services as a group and share the aggregation tasks between them.

Prerequisites

Plan the network design for group aggregation. The following figure is an example of a group aggregation setup.

netwitness_grpaggsetup_261x382.png

Ensure that you understand the Group aggregation parameters in the following table, and create a group aggregation plan.

Parameter Description

Group Name

It determines the group to which the Archiver or Concentrator belongs.
You can add any number of groups aggregating data from a Log Decoder. The Group Name parameter is used by the Log Decoder to identify which Archiver or Concentrator services are working together. All Archiver or Concentrator services in the group should have the same group name.

Size

It determines the number of Archiver or Concentrator services in the aggregation group.

Member Number

It determines the position of the Archiver or Concentrator in the aggregation group. For a group of size N, member number from 0 to N-1 must be set on each of the Archiver or Concentrators services in the aggregation group.
For example: If the size of the aggregation group is 2, the member number of one of the Archiver or Concentrator service should be set to 0 and the member number of the other Archiver or Concentrator should be set to 1.

Membership Mode

There are two membership modes:

  • New: Adding a new Archiver or Concentrator service as a member to the existing aggregation group or creating an aggregation group. The Archiver or Concentrator service does not aggregate any existing sessions from the service as other members of the group would have already aggregated all the sessions on the service. This Archiver or Concentrator service will only aggregate new sessions as they appear on the service.
  • Replace: Replacing an existing aggregation group member. The Archiver or Concentrator will begin aggregation from the oldest session available on the service it is aggregating from.

Note: The Membership Mode parameter has an effect only when no sessions have been aggregated from the service. After some sessions are aggregated, this parameter has no effect.

Set up Group Aggregation

This workflow shows the procedures you complete to configure group aggregation.

netwitness_step4-110_brokerconcentrator_configworkflow_748x160.png

Complete the following steps to set up group aggregation.

  1. Configure multiple Archiver or Concentrator services in your environment. Make sure that you add the same Log Decoder as data source to all the services.

  2. Perform the following on all the Archiver or Concentrator services that you want to be part of aggregation group:

    1. Go to netwitness_adminicon_25x22.png (Admin) > Services.

    2. Select the Archiver or Concentrator service, and select netwitness_ic-actns.png > View > Config.

      The Service Config view of the Archiver or Concentrator is displayed.

    3. In the Aggregate Services section, select Log Decoder.
    4. Click netwitness_togglesvc.png to change the status of the Log Decoder to offline if it is online.

    5. Click netwitness_edit.png.

      The Edit Aggregate Service dialog is displayed.

      netwitness_edit_aggregate_service_269x375.png

    6. Click netwitness_group_aggregation_button_99x22.png.

      The Edit Group Aggregation dialog is displayed.

      netwitness_edit_group_aggregation_182x125.png

    7. Select the Enabled checkbox and set the following parameters:

      • In the Group Name field, type the group name.
      • In the Size field, select the number of Archiver or Concentrator services in the aggregation group.
      • In the Member Number field, select the position of the Archiver or Concentrator in the aggregation group.
      • In the Membership Mode drop-down menu, select the mode.
    8. Click Save.
    9. In the Service Config view, click Apply.
    10. Perform Step b to Step i on all other Archiver or Concentrator services that need to be part of group aggregation.

  3. In the Aggregation Configuration section, set the Aggregate Max Sessions parameter set to 10000.

    netwitness_12.1_aggregateconfiguration_1122.png