For installations that exceed a cluster size of eight servers (plus one primary node), multiple clusters are required.
Carbon Black EDR enables enterprise-wide management of multiple clusters via four main subsystems:
- Custom Carbon Black Threat Intel Feeds: In-house threat intelligence can be syndicated over the network to all clusters from a single location.
- REST API: Provides simple REST endpoints for searching and managing other cluster configuration details. Scripts for common tasks are available from our support staff.
- Enterprise Messaging Bus: Can subscribe to event streams. Carbon Black EDR provides an add-on Event Forwarder to forward event data to third party SIEMs or other integration points. For best performance, we recommend that Event Forwarder be configured to run on a separate server. The recommended Event Forwarder configuration is as follows:
- Server Operating System:
- CentOS 6.7-6.10 (64-bit)
- CentOS 7.3-7.8 (64-bit)
- The server can be either physical or virtualized.
- Choose the same CPU/RAM level from Server sizing chart based on event data volume to match your Carbon Black EDR server specification
- 4TB Enterprise Grade SSD for store-and-forward
- Server Operating System:
- Syslog: Combines and forwards (alerting) information from multiple clusters into a central location (such as a SIEM).
- Unified View Server: (See the VMware Carbon Black EDR Unified View User Guide.) Provides unified login and capabilities across multiple clusters. A base configuration requires the following:
- Server Operating System (see What Carbon Black EDR console/server operating systems are supported?
- The server can be either physical or virtualized.
- For < 10 Carbon Black EDR servers:
- 8 GB of RAM
- 4 CPU cores and 500 GB Storage
- For 10 to 100 Carbon Black EDR servers:
- Minimum 16 GB of RAM
- Minimum 8 CPU cores. - 1 TB storage
- Storage is required for OS files and logging only. Unified View is not I/O intensive.
- Server Operating System (see What Carbon Black EDR console/server operating systems are supported?
Multi-cluster solutions mitigate bandwidth where endpoints are geographically dispersed. Network bandwidth loads are constrained to local, higher-speed links in local area networks; only API calls, alliance communications, and queries are sent over the more constrained wide area network.
