If One Identity Safeguard for Privileged Sessions (SPS) audits lots of connections, processing and indexing the created audit trails requires significant computing resources, which may not be available in the SPS appliance. To decrease the load on the SPS appliance, you can install the indexer service on external Linux hosts. These external indexer hosts run the same indexer service as the SPS appliance, and can index audit trails, or generate screenshots and replayable video files from the audit trails as needed. The external indexers register on SPS, wait for SPS to send an audit trail to process, process the audit trail, then return the processed data to SPS. The external indexer hosts do not store any data, thus any sensitive data is available on the host while it is being processed.
To use external indexers to process your audit trails, you have to complete the following steps.
Read the conditions and limitations related to external indexers in Prerequisites and limitations.
Install and configure the hosts (physical or virtual) that will run the external indexer service. For details on the hardware requirements, see Hardware requirements for the external indexer host.
Configure SPS to use external indexers. For details, see Configuring One Identity Safeguard for Privileged Sessions (SPS) to use external indexers.
If you enabled audit trail encrypting on SPS, you will also need to upload the necessary certificates to the external indexer to allow indexing the encrypted trails. For details, Uploading decryption keys to the external indexer.
Before starting to use One Identity Safeguard for Privileged Sessions (SPS) with external indexers, consider the following:
If there is a firewall between the host of the external indexer and SPS, enable two-way communication between them.
The default port is TCP/12345. To change the port number, you have to modify the indexer settings on SPS, and upload the new configuration to the external indexer(s).
To protect the sensitive data in the audit trails, ensure that the audit trails are encrypted. For details on encrypting audit trails, see Encrypting audit trails.
Make sure to permit indexer access only to the hosts that really run external indexers on the Basic Settings > Local Services > Indexer service page of the SPS web interface.
The current OCR engine cannot guarantee accurate character recognition for Asian characters smaller than 30 x 30 pixels. If you encounter problems with character recognition for Asian characters, increase resolution settings in your connection.
The external indexer can be installed on the following 64-bit operating systems: Red Hat Enterprise Linux Server 6.7, Red Hat Enterprise Linux Server 7, and CentOS 7. The installer is a self-contained package that includes every required dependency of the indexer.
If your security policy does not permit the above limitations, or your environment does not make it possible to fulfill them, do not use external indexers with SPS.
NOTE: This is a data-driven part of the product. Hardware requirements and exact memory usage cannot be safely predicted as the actual memory usage depends on the contents of the sessions.
CPU: You can configure the number of audit trails that an indexer host processes at the same time. For optimal performance, each indexer process should have a dedicated CPU core.
Memory requirements: In addition to the memory requirements of the operating system of the host, the indexer requires about 300 MB memory for each worker process, depending on the protocol of the indexed audit trails. The audit trails of terminal connections require less memory.
Disk: The indexer requests the data from One Identity Safeguard for Privileged Sessions (SPS) in small chunks, it does not store the entire audit trail nor any temporary files. You will need only disk space for the operating system, and a few GB to store logs.
For example, if you want to have a host that can process 6 audit trails at the same time, you need 6 CPU cores and 1.8 GB of memory for the indexer service. If you install only a minimal operating system and the external indexer on the host, 6 GB disk space should be enough.
The following describes how to configure One Identity Safeguard for Privileged Sessions (SPS) to accept connections from external indexer services.
To configure SPS to accept connections from external indexer services
Log in to the SPS web interface, and navigate to Basic Settings > Local Services > Indexer service.
Select Indexer service.
Select Enable remote indexing.
Figure 223: Basic Settings > Local Services > Indexer service > Enable remote indexing — Configure external indexers
In the Listening addresses > Address field, select the network interface where SPS should accept external indexer connections. Repeat this step to add other interfaces if needed.
The available addresses correspond to the interface addresses configured in Basic Settings > Network > Interfaces. Only IPv4 addresses can be selected.
Select Restrict clients, and list the IP address and netmask of your external indexer hosts.
Use an IPv4 address.