Administration Guides
High Availability and Resilience

High Availability and Resilience

The ECA cluster is an active active design that offers Matrix Processing of events. This design uses dedicated docker containers that perform a specific function on each node. The solution allows for multiple container failures within a node and between nodes.

The solution allows a distribution of event processing at the functional container level on any of the nodes in the cluster.  This allows greater than a single point of failover within a node and between nodes.  This ensures processing contains under most common conditions with greater than 2x HA level of redundancy.

Cluster Operational Requirements

The platform is a robust high performance event processing cluster for threat and audit detection capabilities. The cluster will remain operational as long as 2 of the 3 nodes are running and can reach the HDFS cluster database.

Architectural Data flow of audit events through the Eyeglass Clustered Agent

How the ECA processes incoming events, should be understood when debugging

  1. The ECA cluster is an active active active solution which means all nodes process and analyze audit data from the cluster. 
  2. The cluster load balances audit messages to each node in the cluster.
  3. Each user in AD  hashed and assigned to one node in the cluster so single user behavior patterns can be processed by a single node in the cluster.
  4. If a node goes down another node takes over the active directory user processing for the failed node .
© Superna Inc