Add applet to cluster - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-13
Category
Administrator Guide
Abstract

Learn more about adding an applet to a High Availability cluster.

You can add an applet to a high availability (HA) cluster from the Clusters tab of the Brokers VM page.

You can always add an applet to a cluster, even if the cluster status is Unavailable or Error. When an applet is added to a cluster without any Broker VM nodes, the cluster status is Unavailable and the cluster APPS status displays as Inactive.

  1. Select SettingsConfigurationsData BrokerBroker VMs, and select the Clusters tab.

  2. In the Clusters table, locate the cluster that you want to add an applet.

  3. You can either right-click the cluster, and select Add App<name of applet>, or in the APPS column, left-click Add<name of applet>.

    The applet is only available for you to add to the cluster if it hasn't already been added.

    Note

    With Cortex XDR Prevent, it's only relevant to configure a HA cluster with a Local Agent Settings applet as this is the only applet supported for this product license. The other applets are collector applets, which are only available in Cortex XDR Pro or Cortex XSIAM.

  4. Configure your applet.

    The various applets that you can configure are the same as when configuring a standalone Broker VM. For more information on a particular applet configuration, locate the applet in the Set up Broker VM section in the Cortex XSIAM Admin Guide.

    The applet is listed with a status indicator in the APPS column, where the colors depict the following statuses.

    • Green: Connected

    • Red: Connection Failed or Error.

    • White: Inactive

    Once the applet configuration is changed in a cluster, the changes are automatically applied to the cluster nodes depending on the applet and cluster node role. For example, if you add the Kafka Collector, which is an "active/passive" applet, the applet is automatically initiated and enters an active state on the Primary node and is on standby on the standby nodes. While if you add the Syslog Collector "active/active" applet, the changes automatically propagate so that the applet is active on all cluster nodes, including Primary and standby.