Description

A single CEE server can stop processing audit events in certain environments where the Isilon cluster generates large data sets.

Once Dell/EMC determines that a single CEE server can no longer process the load from the Ision cluster, a CEE Pool configuration is usually recommended to load balance the data across multiple CEE servers.

This article will cover how to configure a CEE Pool to work with Data Insight.

Background

Auditing for Isilon (and Dell/EMC devices in general) use the CEE/CAVA framework to process and forward audit events to various endpoints, including Data Insight.

When an Isilon cluster is configured to forward events to multiple CEE servers, the events are sent in a round-robin configuration.

In order for Data Insight to receive all of the audit events from different CEE sources, we have to configure the DataInsightCelerra service a certain way.

The DataInsightCelerra service has two configuration options, a local CEE server (CEE installed and configured on the collector node), and a remote CEE server (CEE is installed and configured on a different server than the collector node). Configuring the service for local CEE will only allow those audits received on the local CEE server to be consumed while any audits received from a remote CEE will be rejected. The same will happen in the reverse configuration (service configured for remote CEE will reject any audits forwarded from the local CEE server).

In a CEE Pool configuration, the DataInsightCelerra service must be configured to accept remote CEE connections only. Setting the service to local or having a local configuration for any of the CEE servers will cause loss of data as any audits received that do not match the DataInsightCelerra service configuration will be rejected.

Configuration

The example above uses a three node CEE Pool configuration.

The Isilon cluster is configured to forward the events to the three CEE servers which then each configured to forward the audit events to the collector node for Data Insight.

Since the DataInsightCelerra service on the collector node is configured to accept connections from remote CEE servers, all audits will be processed.