Use JSA components to scale a JSA deployment, and to manage data collection and processing in distributed networks.
Software versions for all JSA appliances in a deployment must be same version and build. Deployments that use different versions of software are not supported because environments that use mixed versions can cause rules not to fire, offenses not to be created or updated, and errors in search results.
JSA deployments can include the following components:
JSA console--The JSA console provides the JSA user interface, and real-time event and flow views, reports, offenses, asset information, and administrative functions.
In distributed JSA deployments, use the JSA console to manage hosts that include other components.
JSA Event Collector--The Event Collector collects events from local and remote log sources, and normalizes raw log source events to format them for use by JSA. The Event Collector bundles or coalesces identical events to conserve system usage and sends the data to the Event Processor.
The Event Collector can use bandwidth limiters and schedules to send events to the Event Processor to overcome WAN limitations such as intermittent connectivity.
The Event Collector is assigned to an EPS license that matches the Event Processor that it is connected to.
JSA Event Processor--The Event Processor processes events that are collected from one or more Event Collector components. The Event Processor processes events by using the Custom Rules Engine (CRE). If events are matched to the CRE custom rules that are predefined on the Console, the Event Processor executes the action that is defined for the rule response.
Each Event Processor has local storage, and event data is stored on the processor, or it can be stored on a Data Node.
The processing rate for events is determined by your events per second (EPS) license. If you exceed the EPS rate, events are buffered and remain in the Event Collector source queues until the rate drops. However, if you continue to exceed the EPS license rate, and the queue fills up, your system drops events, and JSA issues a warning about exceeding your licensed EPS rate.
When you add an Event Processor to an All-in-One appliance, the event processing function is moved from the All-in-One to the Event Processor.
JSA Flow Processor--The Flow Processor processes flows from one or more JSA flow processor appliances. The Flow Processor appliance can also collect external network flows such as NetFlow, J-Flow, and sFlow directly from routers in your network. You can use the Flow Processor appliance to scale your JSA deployment to manage higher flows per minute (FPM) rates. Flow Processors include an on-board Flow Processor, and internal storage for flow data. When you add a Flow Processor to an All-in-One appliance, the processing function is moved from the All-in-One appliance to the Flow Processor.
JSA Data Node--Data Nodes enable new and existing JSA deployments to add storage and processing capacity on demand as required. Data Nodes help to increase the search speed in your deployment by providing more hardware resources to run search queries on.
For more information about managing JSA components, see the Juniper Secure Analytics Administration Guide.
For more information about JSA appliance specifications, see the Juniper Secure Analytics Hardware Guide.