JSA consolidates event data from log sources that are used by devices and applications in your network. Figure 1 shows JSA components.
Software versions for all JSA appliances in a deployment must be same version and patch level. Deployments that use different versions of software are not supported.
JSA deployments can include the following components:
JSA Flow Processor
Passively collects traffic flows from your network through span ports or network taps. The JSA Flow Processor also supports the collection of external flow-based data sources, such as NetFlow.
Provides the JSA product user interface. The interface delivers real-time event and flow views, reports, offenses, asset information, and administrative functions.
In distributed JSA deployments, use the JSA console to manage hosts that include other components.
A service running on the JSA console, the Magistrate provides the core processing components. You can add one Magistrate component for each deployment. The Magistrate provides views, reports, alerts, and analysis of network traffic and security events.
The Magistrate component processes events against the custom rules. If an event matches a rule, the Magistrate component generates the response that is configured in the custom rule.
For example, the custom rule might indicate that when an event matches the rule, an offense is created. If there is no match to a custom rule, the Magistrate component uses default rules to process the event. An offense is an alert that is processed by using multiple inputs, individual events, and events that are combined with analyzed behavior and vulnerabilities. The Magistrate component prioritizes the offenses and assigns a magnitude value that is based on several factors, including number of events, severity, relevance, and credibility.
JSA Event Collector
Gathers events from local and remote log sources. Normalizes raw log source events. During this process, the Magistrate component, on the JSA Console, examines the event from the log source and maps the event to a JSA Identifier (QID). Then, the Event Collector bundles identical events to conserve system usage and sends the information to the Event Processor.
JSA Event Processor
Processes events that are collected from one or more Event Collector components. The Event Processor correlates the information from JSA products and distributes the information to the appropriate area, depending on the type of event. The Event Processor can also collect events if you do not have an Event Collector in your deployment.
The Event Processor also includes information that is gathered by JSA products to indicate behavioral changes or policy violations for the event. When complete, the Event Processor sends the events to the Magistrate component.
When to add Event Processors: if you collect and store events in a different country or state, you may need to add Event Processors to comply with local data collection laws.
Data Nodes enable new and existing JSA deployments to add storage and processing capacity on demand as required. Data Notes increase the search speed on your deployment by allowing you to keep more of your data uncompressed.
You can scale storage and processing power independently of data collection, which results in a deployment that has the appropriate storage and processing capacity. Data Nodes are plug-n-play and can be added to a deployment at any time. Data Nodes seamlessly integrate with the existing deployment.
Increasing data volumes in deployments require data compression sooner. Data compression slows down system performance as the system must decompress queried data before analysis is possible. Adding Data Node appliances to a deployment allows you to keep data uncompressed longer.
For more information about Data Nodes, see the Data Node Overview.