19. Components » Sensor Cluster¶

Sensor Cluster aggregates the traffic statistics collected by Packet Sensors and Flow Sensors into a single anomaly detection domain and/or IP graphing domain. It is usually used to create a single logical interface from two or more router interfaces monitored by Flow Sensor, or to group up several Packet Sensors that listen to bonded interfaces or to different NIC queues.

To add a Sensor Cluster, click the [+] button found on the title bar of the Configuration » Components panel. To configure an existing Sensor Cluster, go to Configuration » Components, then click its name.

Sensor Cluster Configuration parameters:

● Sensor Name – A short label for easily identifying the Sensor Cluster

● Server Color – The default color is random, but you can choose a new one from the drop-down menu. This color is used in graphs for the Sensor Cluster

● Sensor Visibility – Toggles the listing inside the Reports » Devices panel

● Device Group – Enter a description if you wish to organize components (e.g. by location, characteristics) or to permit fine-grained access for roles

● Sensor Server – Select a server that meets the minimum system requirements for running the Sensor Cluster

● Associated Sensors – Choose which Packet Sensors or Flow Sensor interfaces you want the Sensor Cluster to aggregate

● Link Speed IN / OUT – Enter the combined bandwidth or capacity of the aggregated interfaces. These values are used for percentage-based reports and bits/s thresholds

● IP Zone – Sensor Cluster uses the IP Zone to determine network boundaries and apply per-subnet settings

● IP Graphing – Sensor Cluster can generate IP graphs for the summed up traffic data

▪ Aggregated – Enables IP graphing within the Sensor Cluster and disables IP graphing in the associated Sensors

▪ Not Aggregated – Enables IP graphing per associated Sensor and disables IP graphing in the Sensor Cluster

● Anomaly Detection – Sensor Cluster can detect anomalies in the summed up traffic data

▪ Aggregated – Enables anomaly detection in the Sensor Cluster, disabling it in associated Sensors. To view anomaly graphs, set IP Graphing to Aggregated as well

▪ Not Aggregated – Enables anomaly detection in each associated Sensor, disabling it in the Sensor Cluster

▪ Duplicated – Enables anomaly detection in both the Sensor Cluster and the associated Sensors

● Comments – Record any Sensor Cluster notes here. These remarks are for internal reference only and will not be visible elsewhere

To start the Sensor Cluster, click the on/off button next to its name in Configuration » Components. Monitor the event log and Reports » Devices » Overview to confirm it starts correctly and traffic values are being recorded.