Hi Roberto,
HA for ECs is an expensive license and is not HA in that it protects from event loss.
Testing shows that fail over takes between 60 and 180 seconds (on average) and ingest fully stops on both ECs. So you'll still get event loss. The "HA" is really a mechanism to cater for hardware failure, not failure of any of the software components.
The time delay is down to how long the
ha_manager
component takes to work out that there is no traffic on the SSH tunnels. The difference in time is down to whether it is a graceful fail-over (set offline), or a hard failure (power off).
Sadly, you will not find this described in any sales literature and there is no public statement on EC HA performance nor anything on the 101 or other sites.
If you don't mind some event loss, then by all means go for it.
It may be cheaper to front the EC with a log forwarder (e.g. Splunk). I know of several Customers that use this approach as no event loss is important to them. This covers a mix of SIEM products, from McAfee, IBM QRadar and Log Rhythm, which is a polite way of saying they are all poor performers in this area.
Welcome views from product managers if this operating mode is likely to ever change.
Best wishes,
------------------------------
Darren H.
------------------------------
Original Message:
Sent: Thu July 02, 2020 02:31 AM
From: Roberto Ivars
Subject: Events behaviour when Event Collector is down
There's a question about Event Collector behaviour when network is down....(there's a queue with 5 GBs if the EC cannot reach the EP).
But, what if there are several logsources reporting to an Event Collector and the Event Collector is down? should I need HA for EC for this possible scenario?
Thanks a lot.
------------------------------
Roberto Ivars
------------------------------