For installations that exceed a cluster size of eight servers (plus one primary node), multiple clusters are required.

Carbon Black EDR enables enterprise-wide management of multiple clusters via four main subsystems:

  • Custom Carbon Black Threat Intel Feeds: In-house threat intelligence can be syndicated over the network to all clusters from a single location.
  • REST API: Provides simple REST endpoints for searching and managing other cluster configuration details. Scripts for common tasks are available from our support staff.
  • Enterprise Messaging Bus: Can subscribe to event streams. Carbon Black EDR provides an add-on Event Forwarder to forward event data to third party SIEMs or other integration points. For best performance, we recommend that Event Forwarder be configured to run on a separate server. The recommended Event Forwarder configuration is as follows:
    • Server Operating System:
      • CentOS 6.7-6.10 (64-bit)
      • CentOS 7.3-7.8 (64-bit)
      • The server can be either physical or virtualized.
    • Choose the same CPU/RAM level from Server sizing chart based on event data volume to match your Carbon Black EDR server specification
    • 4TB Enterprise Grade SSD for store-and-forward
  • Syslog: Combines and forwards (alerting) information from multiple clusters into a central location (such as a SIEM).
  • Unified View Server: (See the VMware Carbon Black EDR Unified View User Guide.) Provides unified login and capabilities across multiple clusters. A base configuration requires the following:
    • Server Operating System (see What Carbon Black EDR console/server operating systems are supported?
      • The server can be either physical or virtualized.
    • For < 10 Carbon Black EDR servers:
      • 8 GB of RAM
      • 4 CPU cores and 500 GB Storage
    • For 10 to 100 Carbon Black EDR servers:
      • Minimum 16 GB of RAM
      • Minimum 8 CPU cores. - 1 TB storage
    • Storage is required for OS files and logging only. Unified View is not I/O intensive.

Multi-cluster solutions mitigate bandwidth where endpoints are geographically dispersed. Network bandwidth loads are constrained to local, higher-speed links in local area networks; only API calls, alliance communications, and queries are sent over the more constrained wide area network.