When deploying your SIEM Solution Infrastructure with HP ArcSight products, you may consider installing more than one Logger systems for several reasons.
Without
going too much into detail for these reasons, let’s name the 2 major ones,
first reaching the computation levels on your system (RAM, CPU or 15000 EPS
level indicated in HP ArcSight documents) and second providing redundancy,
installing an ArcSight Logger appliance for each datacenter for not consuming
too much bandwidth to send logs.
Whatever
the reason for using several ArcSight Loggers, the problem of lookup in several
databases appears.
The
solution for this problem is establishing peering between your Logger
appliances. Once peering is established, the pattern you are searching for is
executed on all peer Loggers and the result is shown on the Logger you
initiated the search.
For peering 2 or more loggers should first authenticate each other. For authentication, 2 methods exist:
- Authentication with a logger user credentials
- Authentication with Peer Authorization ID and Code
In this article, we will follow the second method to prevent any problems that may be caused by the user credentials in the first method.
Let's assume, we will initiate the peering on Logger1. To be able to realize it, we should first log in to the Logger2 and generate the Authorization ID and Code for Logger 2.
Once the first step is done, generated values must be entered on Logger1. After successfully saving the configuration Logger Peering is done and logs can be queried through either of the loggers.
UPDATE 29/07/2015: There is something odd about peering config for Loggers. "Add Peer Logger"
option must be configured on both loggers and it is not enough so see one line of peer Logger under Peer Loggers menu. Authorization ID and Code generated on Logger2 for Logger1 must be entered on Logger1 and vice versa. At the end of successfull configuration, you should see 2 identical lines for each Logger you established peering relation under Peer Loggers menu.