Failover and Failback
If you need to designate the Secondary site as the Active site, read this section for an overview of the failover process and for detailed instructions on how to switch between sites.
Overview of the Failover Process
The failover process depends on whether you purposely shut down the Primary site (Planned Failover) or the Primary site went down unexpectedly (Unplanned Failover). In either case, you must manually perform a failover, as outlined below:
- Manually initiate the failover, using the appropriate process:
- Planned Failover. Go to the Primary (active) site and use the DR Control (DR_Monitoring.ps1) script to initiate the failover to the standby site. For more information, see Perform a Planned Failover below.
- Unplanned Failover. Go to the Secondary (standby) site and use the DR Control (DR_Monitoring.ps1) script to initiate the failover to the standby site. For more information, see Perform an Unplanned Failover below.
- Update the shared DNS record so the Primary site components point to the IP address of the Secondary Platform Manager. Once the time to live (TTL) limit is reached, all systems in the Primary site reconnect to the newly activated Platform Manager.
- If a Data Processor is unavailable on the Primary site, reconnect Agents to a new Data Processor by changing the DNS records.
Perform a Planned Failover
- Access the Primary (active) Platform Manager.
- Click Start, All Programs, LogRhythm, and Disaster Recovery.
- Right-click DR Control and click Run as administrator. Enter your local system administrator credentials.
- To display the DR Control Options, press D.
- To initiate the failover process, type F.
- At the Would you like to failover… prompt, type Y.
The DR solution automatically performs the following tasks:- Stops the Platform Manager services on the Primary (active) site.
- Makes sure all databases are in sync between the Primary and Secondary sites.
- Designates the Secondary Platform Manager as the Active site. In DR Controls, the Role column displays Standby.
- Update the DNS record so that all components point to the IP address of the Secondary Platform Manager.
After the time to live (TTL) limit is reached, all systems reconnect to the newly activated Platform Manager. - Go to the Secondary Platform Manager server and confirm that the Platform Manager services, which include the Alarming and Response Manager (ARM) service and the Job Manager service, have started. If necessary, also start the services for the Data Processors, Data Indexers, and the AI Engines.
- If necessary, reconnect remote systems to the Secondary Platform Manager by changing the DNS records. If a Data Processor is unavailable, reconnect Agents to a new Data Processor by changing the DNS records or by using the Deployment Manager in the SIEM Console to redirect them.
Perform an Unplanned Failover (Disaster Recovery Only)
This procedure applies for deployments that have only Disaster Recovery configured. If you have an HA + DR system, see Perform an Unplanned Failover (HA + DR).
- Go to the Secondary (standby) Platform Manager.
- Click Start, All Programs, LogRhythm, and Disaster Recovery.
- Right-click DR Control and click Run as administrator. Enter your local system administrator credentials.
The DR solution displays a warning, indicating that executing a failover from the standby system may result in data loss. Because the Primary site may have gone offline before the databases were fully synchronized, some data may be lost. - To continue, type Y.
The DR solution automatically performs the following tasks:- Switches the Secondary Platform Manager to the Active state.
- Starts the Platform Manager services on the Secondary site.
- Loads the replicated databases. In the DR Controls, the Role column displays “Active,” and the State column is still “Disconnected” to indicate the databases are not currently replicating.
- When the failover is complete, press Enter to exit.
Perform an Unplanned Failover (HA + DR)
This procedure applies for deployments that have both High Availability and Disaster Recovery configured. If you have a DR only system, see Perform an Unplanned Failover (Disaster Recovery Only).
- Go to the Secondary (standby) Platform Manager.
- Click Start, All Programs, LogRhythm, and Disaster Recovery.
- Right-click DR Control and click Run as administrator. Enter your local system administrator credentials.
- To display the DR Control Options, type D.
- To initiate the failover, type F.
The DR solution displays a warning, indicating that executing a failover from the standby system may result in data loss. Because the Primary site may have gone offline before the databases were fully synchronized, some data may be lost. - To continue, type Y.
The DR solution automatically performs the following tasks:- Switches the Secondary Platform Manager to the Active state.
- Starts the Platform Manager services on the Secondary site.
- Loads the replicated databases.
- Update the DNS record so that all components point to the IP address of the Secondary Platform Manager.
After the Time to Live (TTL) limit is reached, all systems within the Primary site reconnect to the newly activated Platform Manager. - If necessary, reconnect remote systems to the Secondary Platform Manager by changing the DNS records. If a Data Processor is unavailable on the Primary site, reconnect Agents to a new Data Processor by changing the DNS records or by using the Deployment Manager in the SIEM Console.
Resume Operations on the Primary Platform Manager
When the Primary Platform Manager is operational again, you can perform a failback to the Primary site as follows:
- Go to the Primary Platform Manager.
- Click Start, All Programs, LogRhythm, and Disaster Recovery.
- Right-click DR Control and click Run as administrator. Enter your local system administrator credentials.
If the DR Solution detects that the Primary Platform Manager is operational, the State column displays Suspended. This means that the Primary site is ready and waiting for data replication to resume. - To display the DR Control Options, type D.
- To resume data replication, type R.
The State column displays Synchronizing during this process. - Wait for all databases to show Synchronized state, and then access the Primary Platform Manager.
- From the Primary Platform Manager, open DR Control.
- Type D to display the DR Control Options, and then type F to fail over to this site. At the Would you like to failover… prompt, type Y.
The DR solution automatically performs the following tasks:- Switches the Primary Platform Manager to the Active state.
- Starts the Platform Manager services on the Primary site.
- Update the DNS record so that all components point to the IP address of the Primary Platform Manager.
After the time to live (TTL) limit is reached, all systems reconnect to the newly activated Platform Manager.