This topic discusses deploying an additional Logger to an existing deployment for the purpose of load sharing in AlienVault USM Appliance.
In a high load environment or for compliance reasons, a USM Appliance Logger can reach its full storage capacity in a shorter period of time.
In such cases, raw logs can be forwarded to multiple USM Appliance Loggers in order to ease the burden on any one logger and also to improve long-term remote storage capabilities.
For example, the architecture of such an environment could look like this:
In order to add an additional USM Appliance Logger to your deployment, configure the logger first by following the instructions in Configure the USM Appliance Logger after Deployment. Then you need to disable event forwarding on the USM Appliance Server so that events will not be forwarded to both USM Appliance Loggers. Instead, specify the events you want to forward to which USM Appliance Logger through the creation of Policies.
To disable event forwarding on the USM Appliance Server
- Go to Configuration > Deployment > Servers.
- Choose the USM Appliance Server and click Modify.
- Set the option for Forward Events to No.
- Click Save.
In order to share the load among multiple USM Appliance Loggers, policies need to be put in place on the USM Appliance Server to effectively split the event flow among the USM Appliance Loggers. A forwarding policy must have the proper options enabled and a forwarding target specified. The criteria used to determine which events should go where can be set in most cases by using either DS Groups or Taxonomy. Other policy criteria, such as source and destination IP, can also be used here. A detailed document on policy management can be found in Policy Management.
Example 1: In the example below, the policy uses Taxonomy to forward all Firewall and Intrusion Detection raw logs to a specific USM Appliance Logger for storage:
Example 2: In the example below, the policy uses DS Groups to forward all AVAPI and NIDS raw logs to a specific USM Appliance Logger for storage:
In summary, adding an additional Logger and sharing raw logs between the USM Appliance Loggers is as simple as:
- Deploy a new Logger as detailed in Configure the USM Appliance Logger after Deployment.
- Disable Forward Events on the USM Appliance Server.
- Create new policies on the USM Appliance Server to group the events.
- In the policies, select the specific USM Appliance Logger that you wish to forward those raw logs to in the Forwarding column of the Consequences section.