Symantec Developer Group

 View Only
  • 1.  About the role of the SSIM server

    Posted Sep 12, 2012 10:51 PM

    I'm considering the introduction of two SSIM server.

    I want to set the role of Correlation the SSIM server A.

    I want to set the role of Collection/Archiving the SSIM server B.

    I think the Correlation and Archiving and Collection role so that it can not be set when you install the SSIM server.

    How do I configure the role of each?

    I have installed as the manual. I think all-in-one server.



  • 2.  RE: About the role of the SSIM server
    Best Answer

    Posted Jan 10, 2013 09:48 PM

    Hi,

     

    If you got 2 or more SSIM, you need to make all the SSIM servers join a single SSIM Domain. Just to be clear I am talking about the SSIM Domain and not Internet domain, and not Active Directory domain.

     

    So you are right to say that you do not specify a role for the SSIM server when you install it. All freshly/newly installed SSIM are "all-in-one" mode. After you completed the installation of two or more SSIM servers, you use the Web Interface to register one of the SSIM to the SSIM Domain of another SSIM. After this all configuration can be controlled on a SSIM Domain level and not at the individual level.

     

    So please out the SSIM Domain Name carefully. Normally, I would install the first SSIM Server with the SSIM Domain name that I want to use, such as "MySSIM.SES" and I will install the other SSIM Server with temporary SSIM Domain names such as "temp2.ses",  "temp3.ses", "temp4.ses".

     

    After completing the installation, it is also very critical to put in all the necessary patches. After patching, you can connect to the SSIM Servers with the temporary SSIM Domain name and use the web Interface to register with the SSIM Domain of the first SSIM Server. The registration process takes around 30 minutes to complete. It is very important that you do not reboot the SSIM Servers, do not interrupt the network, firewalls and such. The web interface can timeout but it won't affect the domain registration process. Just reconnect to the web interface and click on "Domain Registration".

     

    So the final answer you are looking for is to configure the roles. You do this under "Event Forwarding Rules". You find this under System in the Java Console. The default event forwarding is to forward events/logs received to "127.0.0.1" Correlation Service.

     

    Just change this to the other SSIM server that you want to assign the Correlation Role. My recommendation is to use the eth1 (Network Port 2) to perform this forwarding as it is in UNENCRYPTED. So please specify the IP address of eth1 of the destination server. The Correlation Service port number is fixed and you can change it.

     

    You can change how the SSIM write event arhives by editing the "Event Archiving rules". That 's how you control how SSIM work in the Event Archiving Role. Normally you would archive everything but you can change that as well.

     

    Hope this is helpful to you

    SK