You can add higher scale, performance, and reliability to the Reporting and Analytics solution by using the reporting clustering feature. Through reporting clustering, you can combine and configure multiple reporting members in a cluster.
...
Ports Required for IPv4 and IPv6 Single Indexer
| Drawio | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
...
- Single-Site Cluster: In a single-site cluster, the Grid Master is also the cluster master and all reporting members are cluster indexer peers. NIOS selects a peer and configures it as the search head to handle search queries. If the selected search head goes down, NIOS automatically selects another search head among the reporting members in the same site. All other Grid members (non-reporting members) are considered forwarders that send reporting data to the cluster peers for processing. You must configure at least two reporting members that are located in the same site (location). By default, the replication factor and search factor for a single-site cluster are set to 2. Note that you can upgrade your configuration from a single-site cluster to a multi-site cluster. However, once configured, you cannot change your configuration back to a single indexer. For information about how to configure a single-site cluster, see Configuring Reporting Clusters below.
Port Requirement for IPv4 and IPv6 Single-site Clustering
| Drawio | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
...
- Multi-Site Cluster - A multi-site clustering configuration is useful when you want to manage multiple reporting sites at different locations, with each site having its own set of indexers. The multi-site clustering configuration is valid only when you associate all the reporting members in the cluster with the predefined ReportingSite extensible attribute. For information about the ReportingSite extensible attribute, see ReportingSite Extensible Attribute below. In a multi-site cluster, you configure one of the sites as the primary site, and then plan other sites in a specific order. This order defines the next site of indexers to which the forwarders send data when the primary site is out of service. Note that all Grid members send data only to indexers in the primary site. You can designate a new primary site either by using the Grid Reporting Properties editor, or using the set promote_master CLI command. For more information about the CLI command, refer to the Infoblox CLI Guide. A multi-site cluster must have at least two sites with two reporting members in each site, as illustrated in the Sample Multi-Site Reporting Cluster figure. The first reporting site that you configure is the primary site, which also hosts the search head for the cluster. If the search head goes down, the Grid Master automatically chooses an available reporting member in the same site as the search head. If all the indexers in a site go down, or if you want to change the search head to another site, then you must manually redefine the primary site. Note that you must make one of the active sites as the primary site. In a multi-site cluster, the search factor (also known as the site search factor) determines both the number of searchable copies that the entire cluster maintains and the number of copies that each site maintains. By default, the search factor is set to 1 and the replication factor is 2 in a multi-site cluster.
...
When you change the configuration from a single indexer to a single-site cluster or multi-site cluster and from a single-site cluster to a multi-site cluster, the replication of data will start only for the new data that are created after you have completed the cluster mode configuration. When you change the configuration, the replication of new data starts only after you have completed the clustering configuration. Any data created prior to switching are restored on the primary site and are not replicated on the secondary site. To manage your reporting clustering data efficiently, see Guidelines for Deploying Reporting Clusters.
Sample Multi-Site Reporting Cluster
| Drawio | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
For more information about how reporting cluster works, refer to the Splunk documentation at https://docs.splunk.com/Documentation/Splunk/8.2.4/Indexer/Basicclusterarchitecture.
...
Port Requirement for IPv4 and IPv6 Multi-site Clustering
Drawio
ReportingSite Extensible Attribute
...
Report Category | Reports | Source Type | Data Source (file-based or scriptbased) | Update Frequency |
|---|---|---|---|---|
| Device | Inactive IP Addresses | ib:reserved2 | file-based (syslog) | Rotates at 120 MB; retains one older copy; queued data is between 120 MB and 240 MB |
Port Capacity Utilization by Device Port Capacity Trend Port Capacity Delta by Device | ib:reserved2 | file-based (csv) | Overwritten every 6 hours | |
| End Host History | ib:discovery:end_host _activity | file-based (csv) | Overwritten every 24 hours | |
| IP Address Inventory | ||||
| Network Inventory | ||||
| IPAMv4 Device Networks | ||||
| Device Interface Inventory | ||||
| Device Inventory | ib:reserved2 | file-based (csv) | Overwritten every 24 hours | |
| Device Components | ||||
| Device Advisor | ib:reserved2 | file-based (csv) | Overwritten every 24 hours | |
DHCP Performance | DHCP Message Rate Trend | ib:dhcp:message | file-based (csv) | Overwritten every 1 minute |
DHCPv4 Usage Trend DHCPv4 Range Utilization Trend | ib:dhcp:range | file-based (csv) | Overwritten every 1 hour | |
DHCP Lease History | DHCP Lease History DHCP Top Lease Clients | ib:dhcp:lease_history | file-based (syslog) | Rotates at 120 MB; retains one older copy; queued data is between 120 MB and 240 MB |
Top Devices Identified Device Trend Device Class Trend Top Device Classes | ib:dhcp:lease_history | file-based (syslog) | Based on summary search report, which is updated during the 16th and 46th minutes of each hour | |
| Top Devices Denied an IP Address | ib:dhcp:lease_history | file-based (syslog) | Based on summary search report, which is updated during the 19th and 49th minutes of each hour | |
Device Fingerprint Change Detected | ib:dhcp:lease_history | file-based (syslog) | Executed every 24 hours | |
DNS Performance | DNS Response Latency Trend | ib:dns:perf | script-based | Executed every 1 minute |
DNS Record Scavenging | DNS Scavenged Object Count Trend | ib:dns:reclamation | file-based (csv) | Updated whenever reclamation tasks are executed |
DNS Query Capture | DNS Domain Query Trend DNS Domains Queried by Client Top DNS Clients by Query Type Top DNS Clients Querying MX Records | ib:dns:capture | file-based (csv) | Updated whenever the Data Collection VM collects capture query data from a Grid member |
| DDNS | DDNS Update Rate Trend | ib:ddns | file-based (syslog) | Rotates at 120MB; retains one older copy; queued data is between 120MB and 240MB. |
DNS Traffic Control | DNS Traffic Control Resource Availability Trend | ib:dns:reserved | file-based (csv) | Based on summary search report, which is updated once per six hour at 47th minute of each hour. With each execution, it summarizes raw events indexed from 370 minutes ago to 10 minutes ago. |
DNS Traffic Control Resource Availability Status | ib:dns:reserved | file-based (csv) | Based on summary search report, which is updated once per six hour at 47th minute of each hour. With each execution, it summarizes raw events indexed from 370 minutes ago to 10 minutes ago. | |
DNS Traffic Control Resource Pool Availability Trend | ib:dns:reserved | file-based (csv) | Based on summary search report, which is updated once per six hour at 23rd minute of each hour. With each execution, it summarizes raw events indexed from 370 minutes ago to 10 minutes ago. | |
DNS Traffic Control Resource Pool Availability Status | ib:dns:reserved | file-based (csv) | Based on summary search report, which is updated once per six hour at 23rd minute of each hour. With each execution, it summarizes raw events indexed from 370 minutes ago to 10 minutes ago. | |
DNS Traffic Control Response Distribution Trend | ib:dns:reserved | file-based (csv) | Based on summary search report, which is updated once per six hour at 37th minute of each hour. With each execution, it summarizes raw events indexed from 370 minutes ago to 10 minutes ago. | |
DDI Utilization | DHCPv4 Usage Statistics DHCPv4 Top Utilized Networks | ib:dhcp:network | file-based (csv) | Overwritten every 1 hour |
IPAM Network Usage IPAM Top Networks | ib:ipam:network | file-based (csv) | Overwritten every 1 hour | |
| DNS Zone Statistics Per DNS View | ib:dns:view | file-based (csv) | Overwritten every 24 hours | |
| DNS Statistics per Zone | ib:dns:zone | file-based (csv) | Overwritten every 24 hours | |
| DNS Object Count Trend for Flex Grid License | ib:dns:ibflex_zone_counts | file-based (csv) | Generated once in 24 hours and average is calculated over 5 days | |
System Utilization | CPU Utilization Trend Memory Utilization Trend Traffic Rate by Member | ib:system | script-based | Executed every 1 minute |
| License Pool Utilization | ib:system | file-based (csv) | Overwritten every 24 hours | |
| SPLA Grid Licensing Features Enabled | ib:system | Generated once in 24 hours for all IB-FLEX members on the Grid | ||
System Capacity | System Capacity Prediction | ib:system_capacity:objects | Updated whenever there is relevant event occurs | |
| DNS Query | DNS Replies Trend | ib:dns:stats | script-based | Executed every 1 minute |
| DNS Cache Hit Rate Trend | ib:dns:query:cache_hit_rate | script-based | Executed every 1 minute | |
| DNS Query Rate by Query Type | ib:dns:query:qps | script-based | Executed every 1 minute | |
DNS Query Rate by Member DNS Daily Query Rate by Member DNS Daily Peak Hour Query Rate by Member | ib:dns:query:by_member | script-based | Executed every 1 minute | |
| DNS Top Clients | ib:dns:query:top_clients | script-based | Executed every 10 minutes | |
DNS Top Requested Domain Names | ib:dns:query:top_requested _domain_names | script-based | Executed every 10 minutes | |
DNS Top Clients Per Domain DNS Top NXDOMAIN / NOERROR (no data) DNS Top SERVFAIL Errors Received DNS Top SERVFAIL Errors Sent DNS Top Timed-Out Recursive Queries | ib:dns:reserved | script-based | Executed every 10 minutes | |
DNS Query Trend per IP Block Group | ib:dns:reserved | script-based | Executed every 5 minutes | |
DNS Effective Peak Usage Trend for Flex Grid License | ib:dns:query:qps | Executed every 10 minutes and average is calculated over five days | ||
| Security | DNS Top RPZ Hits | ib:dns:reserved | script-based | Executed every 10 minutes |
| DNS Top RPZ Hits by Clients | ib:dns:reserved | script-based | Executed every 10 minutes | |
| Top DNS Firewall Hits | ib:dns:reserved | script-based | Executed every 10 minutes | |
| Malicious Activity by Client | ib:dns:reserved | script-based | Executed every 10 minutes | |
| DNS Firewall Executive Threat | ib:dns:reserved | script-based | Executed every 10 minutes | |
| FireEye Alerts | ib:syslog | script-based | Updated immediately when alerts are logged in the syslog. | |
Threat Protection Event Count By Severity Trend Threat Protection Event Count By Member Trend Threat Protection Event Count By Rule Threat Protection Event Count By Time Threat Protection Event Count By Category Threat Protection Event Count By Member | ib:reserved1 | file-based (csv) | Overwritten every 5 minutes. | |
DNS Top Tunneling Activity DNS Tunneling Traffic by Category Top Malware and DNS Tunneling Events by Client | ib:reserved1 | file-based (csv) | Overwritten every 5 minutes. | |
Network User | User Login History | ib:reserved1 | file-based (csv) | |
Ecosystem Subscription | Subscription Data | ib:reserved1 | file-based (csv) | Updated whenever there is an event received from the vendor that NIOS subscribes. |
Ecosystem Publication | Publish Data | ib:reserved1 | file-based (csv) | Updated whenever there is a relevant RPZ, IPAM, and DHCP lease event occurs. |
| Cloud | VM Address History | ib:reserved2 | file-based (csv) | Updated immediately when there is a change related to the VM IP address. Rotates at 300MB and retains one older copy. |
| Audit Log | Audit Log Events | ib:audit | file-based (audit log) | Updated immediately when the audit log is updated. |
| Audit Log WAPI Events | ib:audit | file-based (audit log) | Updated immediately when the audit log is updated. | |
| Syslog | Syslog Events | ib:syslog | file-based (Syslog) | Updated immediately when alerts are logged in the syslog. |
...