High Availability Configuration Guide

Table of Contents

PURPOSE OF THE DOCUMENT 3

ABOUT EVENTLOG ANALYZER 3

WHY IT IS NECESSARY TO ENSURE HIGH AVAILABILITY OF EVENTLOG ANALYZER? 3

WORKING OF HIGH AVAILABILITY IN EVENTLOG ANALYZER 4

STEPS TO CONFIGURE HIGH AVAILABILITY FEATURE 6STEPS TO ACTIVATE STANDBY SERVER AUTOMATICALLY 10

Purpose of the document

This document explains the benefits, working, and the steps to configure EventLog

Analyzer for high availability.

About EventLog Analyzer EventLog Analyzer is a comprehensive web-based log management and auditing

solution that helps organizations to ensure their network security.

This solution

• Collects and aggregates log data centrally from sources across the

network including Windows servers and workstations, Linux or Unix

machines, network devices (routers, switches, firewalls, IDS/IPS, and

more), web servers (IIS and Apache), database (Oracle and MS SQL) and

a lot more.

• Analyzes log data, extracts meaningful information and present it in

the form of intuitive graphical reports and dashboards.

• Perform correlation over the collected event log data thus helps in

detecting attack patterns to proactively mitigate security threats.

• Includes predefined alert criteria that are meticulously drafted by

examining various indicators of compromises (IOC). It also sends real-

time alerts to administrators upon discovery of any network anomaly.

Why it is necessary to ensure high availability of EventLog Analyzer? Being a network security solution, EventLog Analyzer constantly monitors log data, looks for

anomalies and attack patterns, validates threats, and helps in preventing or combating

security attacks.

If EventLog Analyzer server goes down, it would then result in stoppage of log data collection

and analysis. This could result in failing to identify security incident, and in turn any serious

data breach. Such breaches can cause not just huge financial loss and non-compliant

penalties but also loss of credibility and reputation. Hence it's advisable to ensure the high

availability of EventLog Analyzer, and keep it up and running all the time.

Working of High Availability in EventLog Analyzer

EventLog Analyzer’s high availability setup includes two separate installations. One of

the installations acts as a primary server and the other acts as a standby server. Both

of the installations point to the same database. And the archived log data and ES data

will be available in the common network share.

Primaryserver

Standbyserver

Commondatabase

Status:Standbymode

ArchiveandES(inremotemachinefor

commonaccess)

Status:Upandrunning

By default, the primary server will deliver all the required services. The standby server

will also be started but remain in the standby mode, as well as monitor the primary

server's status. Whenever the primary server fails, the standby server will kick in and

take up the role of the primary server. It will start collecting the logs, to prevent any

data loss, and continue to perform all the functions of the primary server until the

actual primary server is brought back into service.

Configuring high-availability in the servers in which EventLog Analyzer is installed is

simple. Follow the steps illustrated in the document. For any further clarifications and

queries, contact eventlog-support@manageengine.com.

Primaryserver

Standbyserver

Commondatabase

Status:DownStatus:Up.

Functionsasprimaryserver

ArchiveandES(inremotemachinefor

commonaccess)

Steps to configure high availability feature

1. Install EventLog Analyzer in two separate servers.

2. Change the one of the server’s database to SQL by executing

changeDBserver.bat file (located in <EventLog_Analyzer Home>/Tools)

and save.

3. Now run the same changeDBserver.bat file in the other server and point to

the same database.

4. Please note that both the primary and standby servers should be in the same

network and should have static IP address.

Note: Ensure that the first server is down while executing the

changeDBserver.bat file on the second server.

Also, ensure that EventLog Analyzer as a service. If not, install the

product as service by executing Service.bat –I command from

<EventLog Analyzer_Home>/bin directory.

Creating static IP address on Windows server 2012

• Navigate to Start > Control Panel > Network Sharing Center >

Ethernet (Local Area Connection)

• Select Properties menu

• Now uncheck Internet Protocol Version 6 (TCP/IPv6)

• Select Internet Protocol Version 4 (TCP/IPv4) and click on its

Properties

• Select Use the following IP address radio button

• Now, enter the IP address and subnet mask and then click on

OK to save the configuration

5. Now add the below entry in wrapper.conf file located in <EventLog

Analyzer_Home>\Server\Conf

Also ensure that,

• Virtual IP address should in the local network IP range. Using this IP

address the High Availability script will automatically add or remove

the Virtual IP during the product startup and shutdown.

• EventLog Analyzer processes will be bound to Virtual IP. In case of

syslog monitoring, the syslog devices should be configured to

forward their log data to this virtual IP address.

6. Now, in both the primary and standby servers, edit and update the interface

name (interfaceName field) in StartHA.vbs and StopHA.vbs files located

in <EventLog Analyzer_Home>/Tools directory. The value of the

interfaceName field should be the connection found in your Network

Sharing Center.

In primary server add the below lines

wrapper.java.additional.=-DremoteIp=< Secondary Server IP>

wrapper.java.additional.=-DlocalIp=< Local Server IP>

wrapper.java.additional.=-DvirtualIp=<VirtualIP, this entry would be

same as in Secondary Server>

In standby server add the below lines

wrapper.java.additional.=-DremoteIp=<Primary Server IP>

wrapper.java.additional.=-DlocalIp=< Local Server IP>

wrapper.java.additional.=-DvirtualIp=<VirtualIP, this entry would be

same as in Primary Server>

wrapper.java.additional.=-DSecondary=true

7. Start the primary server from Windows services.

Note: Please use only administrator credential to start EventLog Analyzer

service in both primary and standby servers.

8. Now in EventLog Analyzer web console (GUI), navigate to Settings tab >

Archive option > Settings link and change the location of Archive log data

to the common shared folder by providing its exact UNC path.

9. You need to change the custom reports’ storage location as well. To do that,

navigate to Settings tab > Admin Settings > Product Settings >

Customize link. In the Configurations page, provide the common shared

folder location in the UNC path field under Reporting Mode option. This will

change the location of custom reports to the common shared folder.

Note: Ensure that you’ve selected, Send Email and Save to Folder option in

the Reporting Mode field.

10. Edit the path.data in the elasticsearch.yml file located in <EventLog

Analyzer_Home/ES/Config . The value of the path.data field should be the

common shared location so that it can store ES data in both primary and

standby servers.

Note: Please ensure that both primary and standby servers have full

permission to the shared folder.

11. Email notification will be sent to the product users who have administrator

credentials.

By default, the email will be sent to the address associated with the admin

user. To configure or change the email address of admin user, navigate to

Settings tab > Admin Settings > Under Technicians and Roles section

click on Manage Technician. This will display the product’s technicians and

their corresponding roles. Click on the admin user , you will be prompted with

the Edit user details dialog box, where you can edit the email address of the

admin user.

Steps to activate standby server automatically

1. Try to start EventLog Analyzer service in the standby server while the primary

server is up and running. The service startup will fail but this would trigger a

process called Wscript.exe that will start monitoring the primary server's

availability.

2. Triggering this script will automatically initiate the standby server and also

sends email notification to administrators whenever the primary server is

down.

3. Perform troubleshooting on the primary server whenever it’s down. Upon

finishing the troubleshooting, do shutdown the standby server manually and

then start the primary server.

4. When the primary server is up and running, perform step 1to initiate the script

in the standby server.