|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: [ISSForum] one event collector write to two database?
From: Duncanson, Robert (robert.duncanson
gb.unisys.com)
Date: Fri Sep 05 2003 - 23:09:14 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Chan,
Sensor events can go only to one EC, and any EC can send events to only
database. However one EC can actually be monitored by another EC,
effectively 'stacking' them and duplicating events.
The way it works is that one EC (the monitoring EC) connects to the other EC
(the monitored EC). The monitored EC is treated much like a sensor. Only
events from the sensors "behind" the monitored EC are duplicated to the
monitoring EC. It might look like this:
Sensor 1 ---| |--- Sensor 4
Sensor 2 ---| |--- Sensor 5
Sensor 3 ---==> EC-A1 -----> DB-A <----- EC-A2 <==--- Sensor X
|
|
EC-B1 -----> DB-B
In the above example, sensors 1,2,3 are handled by EC-A1. EC-01 is monitored
by EC-B1. Events from sensors 1,2,3 are seen in both DB-A and DB-B. Because
the EC for sensors 4,5,.. is not monitored, those events are only seen in
DB-A. To provide full event coverage it might be extended like this:
Sensor 1 ---| |--- Sensor 4
Sensor 2 ---| |--- Sensor 5
Sensor 3 ---==> EC-A1 -----> DB-A <----- EC-A2 <==--- Sensor X
| |
| |
EC-B1 -----> DB-B <-------EC-B2
But nothing says that it has to be symmetric. For example, if event volumes
permitted, it would be perfectly feasible to do the following instead:
Sensor 1 ---| |--- Sensor 4
Sensor 2 ---| |--- Sensor 5
Sensor 3 ---==> EC-A1 -----> DB-A <----- EC-A2 <==--- Sensor X
| |
| DB-B |
| | |
|----------> EC-B <----------|
There are some white papers from ISS on the subject, which explain the
configuration details. Monitoring is supported by Site Protector and the
later WGM releases. ISS claim that the monitoring EC must be in Site
Protector, but I have successfully used WGM EC's as both monitored and
monitoring EC's.
As I'm sure you've already considered, a completely different approach is to
replicate information at the database level. While I haven't tried it with
Realsecure databases my guess is that, even with modest eventflows, database
replication will cost more in bandwidth than EC monitoring.
Good luck!
Regards,
Robert
-----Original Message-----
From: Chan Kien Eng [mailto:engessasia.net]
Sent: 05 September 2003 15:06
To: issforumiss.net
Subject: [ISSForum] one event collector write to two database?
Hi all,
Can one event collector write the data to two difference database?
Or
Can 1 sensor sent event to two event collector?
The reason I'm asking this is I'm trying to find a way on how to have
the data at 2 difference database in real time (or almost real time).
Any one has any other idea on how to do this?
Thanks.
*******************************************
Chan Kien Eng, CISSP
Head (Technical and Engineering Division)
Evolution Security Solutions Sdn. Bhd.
15.09 Signature Office
The Boulevard, Mid Valley City
59200 Kuala Lumpur.
Email: engessasia.net
Tel: 603-22879939 Ext 110
Fax: 603-22879929
"Make it works, make it better"
********************************************
*****Confidentiality Notice*****************
This message contains confidential
information and is intended only for the
individual named.If you are not the named
addressee you should not disseminate,
distribute or copy this e-mail. Please
notify the sender immediately by e-mail if
you have received this e-mail by mistake and
delete this e-mail from your system.
********************************************
_______________________________________________
ISSForum mailing list
ISSForumiss.net
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo
_______________________________________________
ISSForum mailing list
ISSForumiss.net
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]