High Availability

When high availability is required, Tenable Log Correlation Engine can be configured for two-node replication.  A single virtual IP is always bound to the real IP of whichever node is currently the master node. You use the virtual IP in your high availability configuration for all of the following:

• Tenable Log Correlation Engine web UI
• Tenable Log Correlation Engine clients
• Syslog and SMTP inputs
• Tenable Security Center

The two-node high availability configuration allows you to keep log collection and analysis in the event of a hardware or network failure. High availability works by monitoring services on both configured hosts.  At any time, the servers in your configuration are assigned either the active (or master) or the standby role.  The role of each node is determined by service status, which is monitored at a high frequency.  Example timeline:

1. Initial boot
   • Node A initializes in the master role; Node A binds the virtual IP to its primary network interface
   • Node B initializes in the standby role
2. Node A's network connection fails
   • Node B detects Node A's loss of connectivity and takes over the master role
3. Node A's network connection is restored
   • Node A transitions to the standby role
   • Node B maintains the master role
4. Node B's electrical power supply fails
   • Node A takes over the master role
5. Node B's electrical power supply is restored
   • Node B resumes in the standby role

Database synchronization occurs continuously. If a node goes offline and then is restored, ample time is required to re-sync the database.  In the event of hardware or network instability that requires the nodes to switch roles more frequently than every 5 minutes, high availability behavior may become unpredictable and may result in missing log data.

Note: If you configure high availability for Tenable Log Correlation Engine, use the virtual IP address when configuring Tenable Log Correlation Engine in Tenable Security Center.

Note: On the standby node, Tenable Log Correlation Engine will run only the following services: keepalived, postgresql, and lce_queryd.  Do not manually start, restart, or stop Tenable Log Correlation Engine services on the standby node.

Note: On both the master and the standby node, ha-manager will start and stop the keepalived service automatically as needed.  Do not manually start, restart, or stop the keepalived service on either node.

For more information, see:

• Configure High Availability
• Monitor Your High Availability Configuration
• Disable High Availability

Health and Status

You can view status information about your high availability configuration in the LCE web UI or by running ha-manager --status.

For more information, see Monitor Your High Availability Configuration.

Migrating Existing High Availability Configurations

If you previously configured high availability on your Log Correlation Engine 4.8.4 deployment and want to migrate to Log Correlation Engine 6.0.4 or later, you can upgrade and then re-configure your high availability configuration, as described in Migrate Your High Availability Configuration to Log Correlation Engine 6.0.4 or Later.

ha-manager Utility

The ha-manager utility configures, disables, and provides status details of high availability configurations. For more information about the ha-manager utility and its usage, see ha-manager.