High Availability Configuration Guide
High Availability Configuration Guide
Table of Contents
PURPOSE OF THE DOCUMENT 3
ABOUT EVENTLOG ANALYZER 3
WHY IT IS NECESSARY TO ENSURE HIGH AVAILABILITY OF EVENTLOG ANALYZER? 3
WORKING OF HIGH AVAILABILITY IN EVENTLOG ANALYZER 4
STEPS TO CONFIGURE HIGH AVAILABILITY FEATURE 6STEPS TO ACTIVATE STANDBY SERVER AUTOMATICALLY 10
Purpose of the document
This document explains the benefits, working, and the steps to configure EventLog
Analyzer for high availability.
About EventLog Analyzer EventLog Analyzer is a comprehensive web-based log management and auditing
solution that helps organizations to ensure their network security.
This solution
• Collects and aggregates log data centrally from sources across the
network including Windows servers and workstations, Linux or Unix
machines, network devices (routers, switches, firewalls, IDS/IPS, and
more), web servers (IIS and Apache), database (Oracle and MS SQL) and
a lot more.
• Analyzes log data, extracts meaningful information and present it in
the form of intuitive graphical reports and dashboards.
• Perform correlation over the collected event log data thus helps in
detecting attack patterns to proactively mitigate security threats.
• Includes predefined alert criteria that are meticulously drafted by
examining various indicators of compromises (IOC). It also sends real-
time alerts to administrators upon discovery of any network anomaly.
Why it is necessary to ensure high availability of EventLog Analyzer? Being a network security solution, EventLog Analyzer constantly monitors log data, looks for
anomalies and attack patterns, validates threats, and helps in preventing or combating
security attacks.
If EventLog Analyzer server goes down, it would then result in stoppage of log data collection
and analysis. This could result in failing to identify security incident, and in turn any serious
data breach. Such breaches can cause not just huge financial loss and non-compliant
penalties but also loss of credibility and reputation. Hence it's advisable to ensure the high
availability of EventLog Analyzer, and keep it up and running all the time.
Working of High Availability in EventLog Analyzer
EventLog Analyzer’s high availability setup includes two separate installations. One of
the installations acts as a primary server and the other acts as a standby server. Both
of the installations point to the same database. And the archived log data and ES data
will be available in the common network share.
Primaryserver
Standbyserver
Commondatabase
Status:Standbymode
ArchiveandES(inremotemachinefor
commonaccess)
Status:Upandrunning
By default, the primary server will deliver all the required services. The standby server
will also be started but remain in the standby mode, as well as monitor the primary
server's status. Whenever the primary server fails, the standby server will kick in and
take up the role of the primary server. It will start collecting the logs, to prevent any
data loss, and continue to perform all the functions of the primary server until the
actual primary server is brought back into service.
Configuring high-availability in the servers in which EventLog Analyzer is installed is
simple. Follow the steps illustrated in the document. For any further clarifications and
queries, contact [email protected].
Primaryserver
Standbyserver
Commondatabase
Status:DownStatus:Up.
Functionsasprimaryserver
ArchiveandES(inremotemachinefor
commonaccess)
Steps to configure high availability feature
1. Install EventLog Analyzer in two separate servers.
2. Change the one of the server’s database to SQL by executing
changeDBserver.bat file (located in <EventLog_Analyzer Home>/Tools)
and save.
3. Now run the same changeDBserver.bat file in the other server and point to
the same database.
4. Please note that both the primary and standby servers should be in the same
network and should have static IP address.
Note: Ensure that the first server is down while executing the
changeDBserver.bat file on the second server.
Also, ensure that EventLog Analyzer as a service. If not, install the
product as service by executing Service.bat –I command from
<EventLog Analyzer_Home>/bin directory.
Creating static IP address on Windows server 2012
• Navigate to Start > Control Panel > Network Sharing Center >
Ethernet (Local Area Connection)
• Select Properties menu
• Now uncheck Internet Protocol Version 6 (TCP/IPv6)
• Select Internet Protocol Version 4 (TCP/IPv4) and click on its
Properties
• Select Use the following IP address radio button
• Now, enter the IP address and subnet mask and then click on
OK to save the configuration
5. Now add the below entry in wrapper.conf file located in <EventLog
Analyzer_Home>\Server\Conf
Also ensure that,
• Virtual IP address should in the local network IP range. Using this IP
address the High Availability script will automatically add or remove
the Virtual IP during the product startup and shutdown.
• EventLog Analyzer processes will be bound to Virtual IP. In case of
syslog monitoring, the syslog devices should be configured to
forward their log data to this virtual IP address.
6. Now, in both the primary and standby servers, edit and update the interface
name (interfaceName field) in StartHA.vbs and StopHA.vbs files located
in <EventLog Analyzer_Home>/Tools directory. The value of the
interfaceName field should be the connection found in your Network
Sharing Center.
In primary server add the below lines
wrapper.java.additional.=-DremoteIp=< Secondary Server IP>
wrapper.java.additional.=-DlocalIp=< Local Server IP>
wrapper.java.additional.=-DvirtualIp=<VirtualIP, this entry would be
same as in Secondary Server>
In standby server add the below lines
wrapper.java.additional.=-DremoteIp=<Primary Server IP>
wrapper.java.additional.=-DlocalIp=< Local Server IP>
wrapper.java.additional.=-DvirtualIp=<VirtualIP, this entry would be
same as in Primary Server>
wrapper.java.additional.=-DSecondary=true
7. Start the primary server from Windows services.
Note: Please use only administrator credential to start EventLog Analyzer
service in both primary and standby servers.
8. Now in EventLog Analyzer web console (GUI), navigate to Settings tab >
Archive option > Settings link and change the location of Archive log data
to the common shared folder by providing its exact UNC path.
9. You need to change the custom reports’ storage location as well. To do that,
navigate to Settings tab > Admin Settings > Product Settings >
Customize link. In the Configurations page, provide the common shared
folder location in the UNC path field under Reporting Mode option. This will
change the location of custom reports to the common shared folder.
Note: Ensure that you’ve selected, Send Email and Save to Folder option in
the Reporting Mode field.
10. Edit the path.data in the elasticsearch.yml file located in <EventLog
Analyzer_Home/ES/Config . The value of the path.data field should be the
common shared location so that it can store ES data in both primary and
standby servers.
Note: Please ensure that both primary and standby servers have full
permission to the shared folder.
11. Email notification will be sent to the product users who have administrator
credentials.
By default, the email will be sent to the address associated with the admin
user. To configure or change the email address of admin user, navigate to
Settings tab > Admin Settings > Under Technicians and Roles section
click on Manage Technician. This will display the product’s technicians and
their corresponding roles. Click on the admin user , you will be prompted with
the Edit user details dialog box, where you can edit the email address of the
admin user.
Steps to activate standby server automatically
1. Try to start EventLog Analyzer service in the standby server while the primary
server is up and running. The service startup will fail but this would trigger a
process called Wscript.exe that will start monitoring the primary server's
availability.
2. Triggering this script will automatically initiate the standby server and also
sends email notification to administrators whenever the primary server is
down.
3. Perform troubleshooting on the primary server whenever it’s down. Upon
finishing the troubleshooting, do shutdown the standby server manually and
then start the primary server.
4. When the primary server is up and running, perform step 1to initiate the script
in the standby server.