Linux-UNIX: S-TAP load-balancing models and configuration guidelines
Understand the S-TAP load-balancing models, and choose the one appropriate to your setup.
- To improve reliability. If one collector fails, the traffic is rerouted to another collector so that no traffic is lost.
- To increase throughput. Load-balancing shares your high-volume traffic between a few collectors.
Failover
S-TAP sends traffic to one collector (primary) and fails over to one or more collectors (secondary, tertiary, and so on) as needed. The S-TAP agents are configured with a primary and at least one secondary collector IP. If the S-TAP agent cannot send the traffic to the primary collector, the S-TAP agent automatically fails over to the secondary. It continues to send data to the secondary host until either the secondary host system becomes unavailable, the primary host becomes available again, or until the S-TAP is restarted (at which point it attempts to connect to its primary host first). If the secondary host system becomes unavailable, it fails over to the tertiary if there is one defined. In the second case S-TAP fails over from the secondary Guardium® host back to the primary Guardium host.
Set up a primary and up to two secondary collectors. You can either define one collector as a standby failover collector only, or a few failover collectors. When you use one standby failover, one collector is usually sufficient for 4-5 collectors. When you use a few failover collectors, each one should run at a maximum 50% capacity, so that there are always resources for extra load. Choose the setup that works best with your architecture, database, and data center layout.
- In the S-TAP Control window, Details section: set Load balancing to 0; In
the Guardium Hosts section: add at least one secondary Guardium Host.Note: If you are not an advanced user, do not update the default failover configuration default values.
-
Before you designate a Guardium system as a secondary host for an S-TAP, verify these items.
- The Guardium system must have connectivity to the database server where S-TAP is installed. When multiple Guardium systems are used, they are often attached to disjointed branches of the network.
- The Guardium system must not have a security policy that will ignore session data from the database server where S-TAP is installed. In many cases, a Guardium security policy is built to focus on a narrow subset of the observable database traffic, ignoring all other sessions. Make sure that the secondary host will not ignore session data from S-TAP or modify the security policy on the Guardium system as necessary.
Enhanced failover mechanism to avoid data loss
The main goal of failover mechanism is to preserve the session parameters when switching the S-TAP to the secondary collector. The regular failover mechanism saves session parameters as 'failover messages' that are received from the primary collector over the network. If a failover occurs, the mechanism forwards the failover messages to the secondary collector. In rare cases, the failover messages are lost. To address this, the enhanced failover mechanism, also saves session parameters in the form of several raw database protocol packets. If a failover is required and the failover messages are lost, the failover mechanism forwards the raw database packets to the secondary collector.
Load balancing
This configuration balances traffic from one database onto multiple collectors based on the client ports. This option is useful when you must monitor all traffic (comprehensive monitoring) of an active database. (Note that for outliers detection, the collectors must be under the same aggregator and central manager so that the aggregator can process all related data.) When the generated traffic is large and you need to house the data online on a collector for an extended period, use this method because it performs session-based load balancing across multiple collectors. An S-TAP can be configured in this manner with up to 10 collectors.
- Set the Value of the Load balancing parameter to 1 for load balancing.
Grid
With Grid, the S-TAP communicates to the collector through a load balancer, such as f5 and Cisco. The S-TAP agent is configured to send traffic to the load balancer. The load balancer forwards the S-TAP traffic to one of the collectors in the pool of collectors. You also can configure failover between load balancers for continuous monitoring if the load balancer should fail.
S-TAP attempts to write to the buffer at an interval of tap_min_heartbeat_interval. If it fails 5 times consecutively it fails over. Also, if it detects that the buffer is half full, it fails over.
- In the Details section of the S-TAP Control window, set the value of the Load balancing parameter to 3 for the grid model. For more information, see S-TAP Control: Details.
- Set all can control = 1.
- Guardium Host = <the IP of the Virtual IP of the balancer, to which all S-TAP database clients point to>.
Redundancy
In redundancy, the S-TAP communicates its entire payload to multiple collectors. The S-TAP is configured with more than one collector (often only two) and communicates the identical content to both. This option provides full redundancy of the same logged data across multiple collectors. It can also be used for logging data and alert on activity at different levels of granularity.
In the Details section of the S-TAP Control window, set the value of the Load balancing parameter to 2 for redundancy. For more information, see S-TAP Control: Details.
Multiple K-TAP buffers