Agenda

• What is the Load Balancer

• How to install the Load Balancer
• Configuration of the Load Balancer
• Troubleshooting
• PerfTestSyslog
• Questions/Answers
• Resources
What is the Load Balancer
Network vs Application Load Balancing

5
New Component for Load Balancing for
SmartConnectors – BEFORE data received
Supports Syslog (udp/tcp) and File/Beta (ftp/scp)
Released as of 8th September 2015
Version 1.0 – INITIAL RELEASE
 Use Cases
• Availability, reliability, and scalability.
– Overloaded SmartConnectors result in event loss and delayed collection
– Under-utilized SmartConnectors result in wasted resources
– Manual and tedious sizing and maintenance is necessary
– One SmartConnector becomes a single point of failure
What is the Load Balancer
What is the Load Balancer
 What is the Load Balancer
• Features
– High Availability (HA) modes, which can be configured with two hosts
• HA mode as a peer – the host that starts first is the active node, the other secondary
• HA mode as primary/secondary – designated primary and secondary node
– Standalone mode using a single server
• No HA as running on one node
– Transports
• Syslog (udp/tcp)
• File/Beta (ftp/scp)

• The High Availability feature, which is available using peer or primary/secondary mode, currently works
only within the same subnet.
 What is the Load Balancer
• Routing Policies

– Round Robin
• Distributes events, batches, or files to each available destination in the destination pool in round robin fashion, beginning
again at the start in a circular manner. File-based load balancing supports only the Round Robin policy.

– Weighted Round Robin

• Distributes events in a round-robin fashion, but sends more events or batches to lightly loaded destinations.

– Aggregation Preferred
• Events from the same source are sent to the same destination until a threshold is reached. Then, it will switch the routing
to another destination. This routing policy is better suited if aggregation is enabled on Connector destinations where
events are sent to the same destination until certain load thresholds are met.
 What is the Load Balancer
• Minimum Hardware
– CPU: 2 CPU X 4 Cores each (2 x Intel E5620, quad core, 2.4 Ghz or better)
– RAM: 16 GB
– Disk: 60 GB
– Number of network interfaces—1 Dedicated Gig Ethernet interface
• Only 1 network interface is supported
• Operating System
– RHEL 6.6 and 7.0 (64-bit only)
– CentOS 6.6 and 7.0 (64-bit only)
 What is the Load Balancer
• SmartConnector Requirements
– HP ArcSight SmartConnector release 7.1.4.7475 / 7.1.3.7445 or later
– syslog daemon and/or file-based (beta)
– Remote Management must be enabled on SmartConnectors
• This is a differentiator vs. hardware load balancers
• Application level vs. session level
Primary/Secondary (one host is set as primary)
Peer (neither host is set as primary)
Standalone
File (beta)
How to install the Load Balancer
How to install the Load Balancer
 How to install the Load Balancer
• Enable remote management for the SmartConnectors
• Add remote.management.enabled=true and remote.management.listener.port=9001 to the
$ARCSIGHT_HOME/user/agent/agent.properties file
• Can run agentsetup to do this through the GUI
Configuration of the Load Balancer
 Configuration of the Load Balancer
• Confirm SmartConnectors are running & remote management is turned on
• Copy the appropriate .xml template file
– .xml template file
• High Availability (HA) modes lbConfig.xml.template
• Standalone mode lbConfig.xml.template.standalone
– Copy the appropriate .xml file…
• From $ARCSIGHT_HOME/config/loadbalancer
• To $ARCSIGHT_HOME/user/loadbalancer/
– Rename the .xml file to lbConfig.xml
 Configuration of the Load Balancer
• Edit the lbConfig.xml with an XML editor like gedit
– Configure memberHosts
– Configure destinations and destinationPools
– Configure sources
– Configure routingRule

• memberHosts – defines machine(s) where Load Balancer is installed

• destinations / destinationPools – defines the SmartConnectors that you are talking to
• sources – defines the inbound source and ties to rules and destinations/destinationPools
• routingRule – round robin, weighted round robin, aggregation preferred
memberHost: Configures the participating host where
Load Balancer will be installed and
running.
name: Specifies a unique name that identifies the host.
address: Specifies the IP address of the participating host. Load Balancer must be installed on
this host.
port: Specifies the port number used by the underlying library for HA support.
isPrimary: Specifies the running mode for Load Balancer

Set this value to true to designate a primary host when Load Balancer is running in
primarysecondary-mode
Only one host can be configured as the designated primary host.

To run Load Balancers in peer mode, set this value to false for both member hosts.
vipBindCommand: Specifies the full command used to bind the virtual IP address to this host.
Prior to configuring this, the Ethernet connection virtual IP address should have been configured

In Linux, /sbin/ifup shows the Ethernet configuration.

Be sure to use the absolute path when specifying the command. For example, if the virtual IP
address profile is located in:
/etc/sysconfig/network-scripts/ifcfg-eth0:1

specify:
sudo /sbin/ifup /etc/sysconfig/network-scripts/ifcfg-eth0:1.

If Load Balancer is running as the root user, remove 'sudo'.

vipUnbindCommand: Specifies the full command used to unbind the virtual IP address from
this host. It defines the counter command for binding.
• When configuring a routing rule, the incoming and outgoing protocol used for one routing rule must be
• the same. For example, if routing rule A has source configured with TCP, destinations in the destination
• pool in routing rule A must be configured with the same TCP. Likewise if the source is configured with
• UDP, destinations in the same routing rule must be configured with UDP.
Load Balancer Troubleshooting
 Configuration of the Load Balancer
• Match up memberIdentity with one of memberHosts/memberHost/name so that Load Balancer can identify
itself.
– <memberIdentity>primary-node</memberIdentity>
– <memberIdentity>secondary-node</memberIdentity>
– For primary-secondary configuration, set isPrimary=true on the primary host. On the secondary host, set
isPrimary=false.
– For peer mode, set both hosts to isPrimary=false.
Troubleshooting
 Troubleshooting
• Logs are your friend!
• Load balancer will load the lbConfig.xml file at start – any issues will be in the loadbalancer.log file
– Will confirm settings and details
– Pools, destination etc.

• Usual issues will be focused around settings only:

– Cannot connector to SmartConnectors to pull certificates
– No route to SmartConnectors
– SmartConnector taken out of pool – unavailable
Questions/Answers
• Can the Load Balancer run on ArcMC appliances or software?
• No, it needs to run on a dedicated machine by itself
• Can the Load Balancer run on the same host as the SmartConnector?
• No, it needs to run on a dedicated machine by itself
• Do the Load Balancers need identical hardware?
• No, but that would be the ideal configuration
• Does the Load Balancer support more than 1 network interface?
• No
• Can there be more than 2 Load Balancer hosts?
• No
Questions/Answers
• With Primary-Secondary mode how do we ensure that the Primary starts
before the Secondary?
• There is no way to handle this in the Load Balancer, this is something the
customer will have to handle
• Do we support the Load Balancer in virtual environments?
• The Load Balancer IS supported running in a virtual machine
• SmartConnectors are supported in virtual machines following our standard
virtualization support guidelines
• Virtual lab environment for internal testing
• With High Availability (HA) modes and VMware Workstation there could
be ARP IP->MAC (and routing) cache issues
• Standalone mode should not have these issues
 Why not use hardware Load Balancing?
SmartConnector Load Balancing
Typical Network Hardware Load Balancing
Syslog SmartConnector SmartConnector
Syslog SmartConnector Pool
Devices Load Balancer
Devices
E E E E

2
E E
2 E

3
VIP
4 10.x.1.1
3 E

SmartConnector LB SmartConnector LB
 Side by side Load
Example with three events
balancing comparison
Traditional Hardware ArcSight Application 1 2
1 2

1: Traditional Hardware – All three event when to 1st connector 1: ArcSight Application LB – Distributed to all SmartConnectors

2: Traditional Hardware – All three event when to 1st Logger 2: ArcSight Application LB – Distributed to all Loggers
 Comparison Summary
Hardware Network Load Balancer
 Extra cost for hardware
 Network (Hardware) Load balancer
• the focus is on establishing and
maintaining connection between end-
points (more at network and transport
layer 4 protocols like IP, TCP, FTP, UDP
of the OSI model)
• TCP is difficult to configure and get
working
Application Load Balancer
 SmartConnector Load Balancer bundled
in the ArcSight solution
 Application Level Load Balancing
• Load balancing at the event (application
layer 7 of OSI model)
• TCP support is easy to configure since it
agnostic to network transport protocol
• TCP is more efficient (batching)
• Load balancing support file based events