The capacity of a deployment is measured by the number of events
per second (EPS) and flows per minute (FPM) that JSA can
collect, normalize, and correlate in real time. The event and flow
capacity is set by the licenses that are uploaded to the system.
Each host in your JSA deployment must have enough
event and flow capacity to ensure that JSA can handle
incoming data spikes. Most incoming data spikes are temporary, but
if you continually receive system notifications that indicate that
the system exceeded the license capacity, you can replace an existing
license with a license that has more EPS or FPM capacity.
Shared License Pool
The EPS and FPM rate that is set by each license is combined
into a shared license pool. From the shared license pool, you can
distribute the processing capacity to any host within a specific deployment
or that is managed by a single console, regardless of which host the
original license is allocated to.
By adjusting the allocation of the shared license pool, you
ensure that the event and flow capacity is distributed according to
the network workload, and that each JSA host has enough
EPS and FPM to effectively manage periods of peak traffic.
In deployments that have separate event collector and event
processor appliances, the event collector inherits the EPS rate from
the event processor that it is attached to. To increase the capacity
of the event collector, allocate more EPS from the shared license
pool to the parent event processor.
Contributions to the License Pool
A license that includes both event and flow capacity might not
contribute both the EPS and FPM to the shared license pool. The license
pool contributions are dependent on the type of appliance that the
license is allocated to. For example, when you apply a license to
a 16xx Event Processor, only the EPS is added to the license pool.
The same license, when applied to a 17xx Flow Processor, contributes
only the FPM to the license pool. Applying the license to an 18xx
Event/Flow Processor contributes both EPS and FPM to the pool. With
exception of software licenses for event or flow processors, all software
licenses contribute both the EPS and FPM to the shared license pool,
regardless of which type of appliance the license is allocated to.
As of JSA 7.3.2, you can now acquire stackable
EPS/Flow increments instead of replacing existing console or other
managed hosts license when you need to increase the overall event
or flow thresholds of your deployment. After the licenses are uploaded
and deployed, the event/flow capacity can then be reallocated through
the License Pool Management.
Exceeding Your Licensed Processing Capacity Limits
The license pool becomes overallocated when the combined EPS
and FPM that is allocated to the managed hosts exceeds the EPS and
FPM that is in the shared license pool. When the license pool is overallocated,
the License Pool Management window shows a negative value
for the EPS and FPM, and the allocation chart turns red. JSA blocks functionality on the Network Activity and Log Activity tabs, including the ability to view events and
flows from the Messages list on the main JSA toolbar.
To enable the blocked functionality, reduce the EPS and FPM
that you allocated to the managed hosts in your deployment. If the
existing licenses do not have enough event and flow capacity to handle
the volume of network data, upload a new license that includes enough
EPS or FPM to resolve the deficit in the shared license pool.
Expired Licenses
When a license expires, JSA continues to process
events and flows at the allocated rate.
If the EPS and FPM capacity of the expired license was allocated
to a host, the shared resources in the license pool might go into
a deficit, and cause JSA to block functionality on the Network Activity and Log Activity tabs.
Capacity Sizing
The best way to deal with spikes in data is to ensure that your
deployment has enough events per second (EPS) and flows per minute
(FPM) to balance peak periods of incoming data. The goal is to allocate
EPS and FPM so that the host has enough capacity to process data spikes
efficiently, but does not have large amounts of idle EPS and FPM.
When the EPS or FPM that is allocated from the license pool
is very close to the average EPS or FPM for the appliance, the system
is likely to accumulate data in a temporary queue to be processed
later. The more data that accumulates in the temporary queue, also
known as the burst-handling queue, the longer it takes JSA to process the backlog. For example, a JSA host with
an allocated rate of 10,000 EPS takes longer to empty the burst handling
queue when the average EPS rate for the host is 9,500, compared to
a system where the average EPS rate is 7,000.
Offenses are not generated until the data is processed by the
appliance, so it is important to minimize how frequently JSA adds data to the burst handling queue. By ensuring that each managed
host has enough capacity to process short bursts of data, you minimize
the time that it takes for JSA to process the queue,
ensuring that offenses are created when an event occurs.
When the system continuously exceeds the allocated processing
capacity, you cannot resolve the problem by increasing the queue size.
The excess data is added to the end of the burst handling queue where
it must wait to be processed. The larger the queue, the longer it
takes for the queued events to be processed by the appliance.
Internal Events
JSA appliances generate a small number
of internal events when they communicate with each other as they process
data.
To ensure that the internal events are not counted against the
allocated capacity, the system automatically returns all internal
events to the license pool immediately after they are generated.