Thread Info
  • Locked Locked
  • Replies 12 replies
  • Subscribers 7 subscribers
  • Views 26679 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

STAS issue with multiple DC's & collectors

Louis-M

Whilst testing STAS, we came across some anomaly's where not all users were getting logged.

The setup:

4 x DC's over 4 different sites. All DC's entered into the UTM under STAS with all DC's having the full STAS Suite installed and running.

All of the STAS collectors/agents were up and running and all tested. The reason the whole suite was installed is for resilience and failover eg incase 1 DC failed.

The Issue:

looking through the logs, the UTM only queried the first STAS/DC server in it's list. It did not work it's way down the list as we would have expected. Therefore, it would only log the authentications that were done on this DC. This resulted on authentications on the other STAS/DC servers being missed.

It appears that only if the connection fails to the first STAS/DC server in the list, that the next server will be tried for authentication.

The workaround:

Specify the first STAS/DC server in the STAS Collectors on each of the other servers.

This appeared to work and now all users are authenticated. It does however, still leave the question of if the first DC fails, who then becomes the collector?
I am going to add other collector IP's into the agents as Sophos state that only the first collector in the list gets the authentications so I am hoping that if that collector fails, it will try the next collector in the list and so forth.



This thread was automatically locked due to age.
Parents

  • Hey Louis.

    I think that's actually how ir behaves and you workaround is actually how it should be setup when using multilple collectors. When multiple collectors are used, UTM will use the one that replied faster and only go "down the list" if that collector stops reponding.

    But, since STAS docummention as a little scarced yet and my insight is based on observation, I'll let someone with more knowledge on the theme confirm this.

    Regards,

    Giovani

  • in reply to giomoda

    Yes, looking at this, it seems that a STAS collector can service multiple UTM's but if you put a collector on each DC, you have to be careful that when the UTM looks for a collector, it doesn't jump to another eg UTM 1 goes to collector 1 on DC1, UTM 2 goes to collector 3 on DC3. If the STAS Suite on DC3 is pointing to the primary collector on DC1 and DC1 goes down, you lose the collector.

    The answer is to put collectors on all the DC's but again, you have to be care. A single timeout on the first collector on a UTM will cause the UTM to select the next collector eg collector 2. That collectors agent will be pointing elsewhere eg at Collector 1 which has now gone down.

    I think the answer might be to map the agent to the same order as which the collectors are specified in the UTM eg they all point to collector 1. If collector 1 goes down, they all point to collector 2 and so forth.

    The documentation is a little scarce and doesn't really highlight the pitfalls etc.

Reply
  • in reply to giomoda

    Yes, looking at this, it seems that a STAS collector can service multiple UTM's but if you put a collector on each DC, you have to be careful that when the UTM looks for a collector, it doesn't jump to another eg UTM 1 goes to collector 1 on DC1, UTM 2 goes to collector 3 on DC3. If the STAS Suite on DC3 is pointing to the primary collector on DC1 and DC1 goes down, you lose the collector.

    The answer is to put collectors on all the DC's but again, you have to be care. A single timeout on the first collector on a UTM will cause the UTM to select the next collector eg collector 2. That collectors agent will be pointing elsewhere eg at Collector 1 which has now gone down.

    I think the answer might be to map the agent to the same order as which the collectors are specified in the UTM eg they all point to collector 1. If collector 1 goes down, they all point to collector 2 and so forth.

    The documentation is a little scarce and doesn't really highlight the pitfalls etc.

Children
  • in reply to Louis-M

    Early days yet but I seem to have 2x UTM's synced across 4x DC's. Logs appear to be matching although I do get the old "child XXXX is running too long. Terminating child" warning and the user that is logged in the logs doesn't show up on the UTM.

    ON DC1: On the front tab of the STAS suite, under Sophos appliances being served, it shows UTM A & UTM B.
    ON DC2: On the front tab of the STAS suite, under Sophos appliances being served, it shows 0 UTM's.
    ON DC3: On the front tab of the STAS suite, under Sophos appliances being served, it shows UTM A.
    ON DC4: On the front tab of the STAS suite, under Sophos appliances being served, it shows 0 UTM's.

    Now above, I can understand DC1 as STAS is serving both UTM's as DC1 is first in the list for STAS servers on the UTM's
    I can understand DC2 & DC4 as both are not the primary STAS Server ie it is DC1

    I can't understand DC3 as that appears to be serving UTM A by itself. I don't think it should do this??

Unfiltered HTML