HA Deployment Scenario for Pull-Type Logs

Summary:

This document outlines a discussion between Dennis Liew and Yash Vartak about implementing High Availability (HA) for the ConnApp, which is used to pull various types of logs such as WUC (Wireless Universal Card) and DB (Database). The customer prefers an HP appliance solution. Two main strategies are proposed: 1. **Ensure Target System Capacity**: The target system should be designed with enough capacity to store logs until a failed connector infrastructure can be rebuilt. This method ensures minimal disruption, with a recovery time that could range from a few minutes to an hour. If rebuilding takes longer (up to a week or two), the target system must hold logs accordingly. 2. **Connector Clustering**: Another approach is ensuring at least one or more connectors per log source remain operational regardless of equipment failure. This focuses on maintaining service continuity rather than immediate log retrieval after a failure. The email thread primarily concerns strategies for implementing HA for ConnApp, addressing issues related to ArcSight equipment failures and ensuring uninterrupted log processing. The customer's preference for an appliance solution from HP and their reluctance to manage the underlying OS are key factors in this discussion.

Details:

The email chain discusses a scenario for deploying High Availability (HA) for ConnApp when handling pull-type logs such as WUC (Wireless Universal Card), DB (Database), etc. The sender, Dennis Liew, seeks advice on how to set up HA for the ConnApp in an appliance solution preferred by customers. In response, Yash Vartak explains that the approach depends on what "high availability" means to the customer. They suggest two methods: 1) Ensure the target system has enough capacity to store logs until the failed connector infrastructure can be rebuilt. If rebuilding takes a day and involves either replacing an existing Connector Appliance or using a temporary SW connector, the target system should be able to hold logs for up to a week or two before they are rolled over. This method ensures minimal disruption, with a recovery time that could take from a few minutes to an hour. 2) Another approach is to ensure at least one or more connectors per log source remain operational regardless of equipment failure. This focuses on maintaining service continuity rather than immediate log retrieval after a failure. The email thread demonstrates a discussion between the sender and Yash Vartak regarding HA deployment strategies for ConnApp, with an emphasis on understanding customer requirements and planning for potential infrastructural failures. The message from Liew, Dennis, a Senior Technical Consultant at HP Enterprise Security Products, addresses the need for handling High Availability (HA) setup on ConnApp for pull-type logs such as WUC and DB. The customer prefers an appliance solution from HP and does not want to manage their own operating system. The proposed approach involves placing a Load Balancer (LB) in front of a pair of ConnApps, but this configuration is not fully satisfactory due to specific requirements like the need for WUC logs. Dennis seeks guidance on alternative HA setups without additional agents or systems that could disturb existing infrastructure. The suggested solution should be feasible with an HP appliance and involve minimal system management by customers. The email thread primarily concerns strategies for implementing High Availability (HA) for Connection Application (ConnApp) log pulling, addressing issues related to ArcSight equipment failures and ensuring uninterrupted log processing. Yash Vartak suggests two main approaches: 1. **Ensure Target System Capacity**: The first approach involves designing the target system to store logs sufficient enough to accommodate a rebuild period after a failure. For instance, if rebuilding takes one day and might be performed by replacing an existing Connector Appliance or deploying temporary software connectors, the target should hold logs for up to a week or two before they are rolled over. This method ensures that there is no immediate loss of log data due to system failures but can take time to recover post-failure. 2. **Connector Clustering**: The second approach involves setting up connector clustering, which is detailed in specific ArcSight documentation links provided by Yash Vartak. It's crucial to consult with the PreSales (PS) team before implementing this solution to ensure proper alignment and support. The email exchange starts with Dennis Liew seeking information on how to handle HA setup for ConnApps designed to pull logs, while Yash Vartak provides guidance based on his experience and suggests two potential solutions: enhancing system capacity or deploying connector clustering techniques. This communication is a series of emails between Dennis Liew and David Hoi from HP Enterprise Security Products regarding a deployment scenario for HA (High Availability) in a pull-type log environment using ConnApp (Connector Application). The customer prefers an appliance solution, meaning they do not want to manage their own operating system. In this email exchange, there are several key points: 1. Customer preference: They specifically require a hardware appliance solution from HP and do not wish to manage the underlying OS themselves. 2. Importance of HA with ConnApp: A high availability setup is necessary due to business requirements. 3. Existing solution limitations: The current plan involves load balancing (LB) in front of two ConnApps, but this does not meet the customer's specific needs related to WUC (which are not detailed in the excerpt). 4. No additional agents like SNARE are preferred by the customer as they want minimal disturbance to their existing system. 5. Customer equipment bearing the load is considered a possible solution, although it was mentioned that no other solutions were provided in the email exchange. Overall, the emails highlight the challenges of deploying HA for pull-type log appliances like ConnApp and the preferences of the customer regarding hardware and minimal impact on their existing systems. Dennis Liew asked about how to handle High Availability (HA) for a ConnApp used for pulling log types. Yash Vartak explained two possible ways to do this: 1. **Ensuring Capacity for Log Storage**: If the design goal is not to lose any logs due to ArcSight equipment failure, you can ensure that there's enough space in the target system to hold logs until they can be rebuilt after a failure. This could mean setting up the target system to store logs for a week or two before they roll over. While this method doesn't provide instant failover, it allows for quick recovery with proper planning and processes. 2. **Connector Clustering**: Another approach is using connector clustering as described in specific ArcSight documentation links provided by Yash. Before implementing this, it's important to consult with the PreSales team for their support. Overall, both methods aim to ensure minimal disruption if a failure occurs and that log data can be recovered without loss. To summarize the given text, it seems that Dennis Liew is reaching out to a customer and offering advice on appliance solutions. He mentions that for certain types of logs, like WUC or DB, they can be placed in front of ConnApps; however, he may want to consider customer preferences when suggesting these solutions. The contact information provided at the end includes:

• Dennis Liew's email: dennis.liew@hp.com

• Address: 450 Alexandra Road #07‐00 Singapore (119960)

• Mobile number: +65 9816 1019

• Company website: www.hp.com.sg/security