Event and Flow Processing Capacity
The capacity of a deployment is measured by the number of events per second (EPS) and flows per minute (FPM) that JSA can collect, normalize, and correlate in real time. The event and flow capacity is set by the licenses that are uploaded to the system.
Each host in your JSA deployment must have enough event and flow capacity to ensure that JSA can handle incoming data spikes. Most incoming data spikes are temporary, but if you continually receive system notifications that indicate that the system exceeded the license capacity, you can replace an existing license with a license that has more EPS or FPM capacity.
Shared License Pool
The EPS and FPM rate that is set by each license is combined into a shared license pool. From the shared license pool, you can distribute the processing capacity to any host, regardless of which host the original license is allocated to.
By adjusting the allocation of the shared license pool, you ensure that the event and flow capacity is distributed according to the network workload, and that each JSA host has enough EPS and FPM to effectively manage periods of peak traffic.
In deployments that have separate event collector and event processor appliances, the event collector inherits the EPS rate from the event processor that it is attached to. To increase the capacity of the event collector, allocate more EPS from the shared license pool to the parent event processor.
Contributions to the License Pool
A license that includes both event and flow capacity might not contribute both the EPS and FPM to the shared license pool. The license pool contributions are dependent on the type of appliance that the license is allocated to. For example, when you apply a license to a 16xx Event Processor, only the EPS is added to the license pool. The same license, when applied to a 17xx Flow Processor, contributes only the FPM to the license pool. Applying the license to an 18xx Event/Flow Processor contributes both EPS and FPM to the pool. With exception of software licenses for event or flow processors, all software licenses contribute both the EPS and FPM to the shared license pool, regardless of which type of appliance the license is allocated to.
A license key that has a serial number can apply to only one host, and the EPS and FPM capacity of that license cannot be allocated to another host. As a result, a license key that has a serial number does not contribute to the shared license pool.
Exceeding Your Licensed Processing Capacity Limits
The license pool becomes overallocated when the combined EPS and FPM that is allocated to the managed hosts exceeds the EPS and FPM that is in the shared license pool. When the license pool is overallocated, the License Pool Management window shows a negative value for the EPS and FPM, and the allocation chart turns red. JSA blocks functionality on the Network Activity and Log Activity tabs, including the ability to view events and flows from the Messages list on the main JSA toolbar.
To enable the blocked functionality, reduce the EPS and FPM that you allocated to the managed hosts in your deployment. If the existing licenses do not have enough event and flow capacity to handle the volume of network data, upload a new license that includes enough EPS or FPM to resolve the deficit in the shared license pool.
When a license expires, JSA continues to process events and flows at the allocated rate.
If the EPS and FPM capacity of the expired license was allocated to a host, the shared resources in the license pool might go into a deficit, and cause JSA to block functionality on the Network Activity and Log Activity tabs.
The best way to deal with spikes in data is to ensure that your deployment has enough events per second (EPS) and flows per minute (FPM) to balance peak periods of incoming data. The goal is to allocate EPS and FPM so that the host has enough capacity to process data spikes efficiently, but does not have large amounts of idle EPS and FPM.
When the EPS or FPM that is allocated from the license pool is very close to the average EPS or FPM for the appliance, the system is likely to accumulate data in a temporary queue to be processed later. The more data that accumulates in the temporary queue, also known as the burst-handling queue, the longer it takes JSA to process the backlog. For example, a JSA host with an allocated rate of 10,000 EPS takes longer to empty the burst handling queue when the average EPS rate for the host is 9,500, compared to a system where the average EPS rate is 7,000.
Offenses are not generated until the data is processed by the appliance, so it is important to minimize how frequently JSA adds data to the burst handling queue. By ensuring that each managed host has enough capacity to process short bursts of data, you minimize the time that it takes for JSA to process the queue, ensuring that offenses are created when an event occurs.
When the system continuously exceeds the allocated processing capacity, you cannot resolve the problem by increasing the queue size. The excess data is added to the end of the burst handling queue where it must wait to be processed. The larger the queue, the longer it takes for the queued events to be processed by the appliance.
JSA appliances generate a small number of internal events when they communicate with each other as they process data.
To ensure that the internal events are not counted against the allocated capacity, the system automatically returns all internal events to the license pool immediately after they are generated.