Skip to content
  • There are no suggestions because the search field is empty.

How to set up and test a Failover Local Collector for a Remote Collector on RSA Security Analytics

Issue

You can set up a Failover Local Collector that Security Analytics will fail over to if your primary Local Collector stops operating for any reason.

Tasks

For 10.5 -  https://sadocs.emc.com/0_en-us/089_105InfCtr/135_LCGds/10LCDG/10_LCDGProc/10_CnfgLCsRCs/10_PushtoLC/00_FailovrLC

For 10.6 - https://sadocs.emc.com/0_en-us/088_SA106/135_LCGds/10LCDG/10_LCDGProc/10_CnfgLCsRCs/10_PushtoLC/00_FailovrLC

After completing this procedure, you will have set up a destination made up of local collectors such that when the primary Local Collector is unreachable, the Remote Collector attempts to connect to each local collector in this destination until it makes a successful connection.

Once Failover is set up, please follow the steps under Resolution to test whether Failover is working on RSA Security Analytics Collector.


Resolution

For Instance: When the Primary Local Collector goes down, make sure that Remote Collector sends the logs to the Standby Local Collector and switch back to Primary Local Collector automatically once it comes back online.

Please follow the below steps to test whether Fail over is working on RSA Security Analytics Collector.

      1. Login to Security Analytics GUI 
      2. Stop the "Primary Local Collector" service from Administrator --> Services --> Actions --> Stop 
      3. SSH to Primary Local Collector and Stop the rabbitmq service using below command :
service rabbitmq-server stop
      4. Navigate to the "Standby Local Collector" from Investigation module in SA UI and see if getting the logs from the Remote collector.
      5. SSH to Primary Local Collector and start the rabbitmq service using below command :-
service rabbitmq-server start
      6.  Start the "Primary Local Collector" service from Administrator --> Services --> Actions --> Start
      7. Repeat vice-versa steps to be followed for Standby Local Collector.

Please follow the steps to make it balanced so that respective Remote Collectors send their logs to respective Local Collectors.

      1. SSH to Primary and Secondary Remote Collector
      2. Restart the collector and rabbitmq service using the below commands
restart nwlogcollector
service rabbitmq-server restart

If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article ID for further assistance.

Product Details

RSA Product Set: Security Analytics
RSA Product/Service Type: SA Security Analytics Server, SA Log Collector
RSA Version/Condition: 10.5, 10.6

Approval Reviewer Queue

RSA NetWitness Suite Approval Queue