Configuring external indexers
If One Identity Safeguard for Privileged Sessions (SPS) audits lots of connections, processing and indexing the created audit trails requires significant computing resources, which may not be available in the SPS appliance. To decrease the load on the SPS appliance, you can install the indexer service on external Linux hosts. These external indexer hosts run the same indexer service as the SPS appliance, and can index audit trails, or generate screenshots and replayable video files from the audit trails as needed. The external indexers register on SPS, wait for SPS to send an audit trail to process, process the audit trail, then return the processed data to SPS. The external indexer hosts do not store any data, thus any sensitive data is available on the host while it is being processed.
To use external indexers to process your audit trails, you have to complete the following steps.
Detailed information about this topic
Prerequisites and limitations
Before starting to use One Identity Safeguard for Privileged Sessions (SPS) with external indexers, consider the following:
-
If there is a firewall between the host of the external indexer and SPS, enable connections from the external indexer to SPS.
The default port is TCP/12345. To change the port number, you have to modify the indexer settings on SPS, and upload the new configuration to the external indexer(s).
-
To protect the sensitive data in the audit trails, ensure that the audit trails are encrypted. For details on encrypting audit trails, see Encrypting audit trails.
-
Make sure to permit indexer access only to the hosts that really run external indexers on the Basic Settings > Local Services > Indexer service page of the SPS web interface.
-
NOTE: The current OCR engine cannot guarantee accurate character recognition for non-Latin characters smaller than 30 x 30 pixels. If you encounter problems with character recognition for non-Latin characters, increase resolution settings in your connection.
-
The external indexer can be installed on the following 64-bit operating systems: Red Hat Enterprise Linux Server 8 and its derivatives, such as CentOS, Oracle Linux, AlmaLinux, Rocky Linux, etc.
NOTE: Derivatives are supported only if an issue can be reproduced on an official RHEL distribution. Do not report issues specific to a derivative OS but not to RHEL.
-
Update your system:
yum update
Download the External Indexer bundle from the SPS box itself:
curl https://<SPS-IP>/external-indexer.rpm -o external-indexer.rpm
Install the bundle:
yum install external-indexer.rpm
If your security policy does not permit the above limitations, or your environment does not make it possible to fulfill them, do not use external indexers with SPS.
Hardware requirements for the external indexer host
NOTE: This is a data-driven part of the product. Hardware requirements and exact memory usage cannot be safely predicted as the actual memory usage depends on the contents of the sessions.
-
CPU: You can configure the number of audit trails that an indexer host processes at the same time. For optimal performance, each indexer process should have a dedicated CPU core.
-
Memory requirements: In addition to the memory requirements of the operating system of the host, the indexer requires about 300 MB memory for each worker process, depending on the protocol of the indexed audit trails. The audit trails of terminal connections require less memory.
-
Disk: The indexer requests the data from One Identity Safeguard for Privileged Sessions (SPS) in small chunks, it does not store the entire audit trail nor any temporary files. You will need only disk space for the operating system, and a few GB to store logs.
For example, if you want to have a host that can process 6 audit trails at the same time, you need 6 CPU cores and 1.8 GB of memory for the indexer service. If you install only a minimal operating system and the external indexer on the host, 6 GB disk space should be enough.
Configuring One Identity Safeguard for Privileged Sessions (SPS) to use external indexers
The following describes how to configure One Identity Safeguard for Privileged Sessions (SPS) to accept connections from external indexer services.
To configure SPS to accept connections from external indexer services
-
Log in to the SPS web interface, and navigate to Basic Settings > Local Services > Indexer service.
-
Select Indexer service.
-
Select Enable remote indexing.
Figure 250: Basic Settings > Local Services > Indexer service > Enable remote indexing — Configure external indexers
-
In the Listening addresses > Address field, select the network interface where SPS should accept external indexer connections. Repeat this step to add other interfaces if needed.
The available addresses correspond to the interface addresses configured in Basic Settings > Network > Interfaces. Only IPv4 addresses can be selected.
-
Select Restrict clients, and list the IP address and netmask of your external indexer hosts.
Use an IPv4 address.
-
Click Commit.