- play_arrow What's New for Administrators
- play_arrow Overview of JSA Administration
- play_arrow User Management
- play_arrow System Management
- System Management
- System Health Information
- JSA Component Types
- Data Nodes
- Network Interface Management
- JSA System Time
- NAT-Enabled Networks
- Off-site Hosts Management
- Managed Hosts
- Configuration Changes in your JSA Environment
- Deploying Changes
- Restarting the Event Collection Service
- Shutting Down a System
- Restarting a System
- Collecting Log Files
- Changing the Root Password on Your JSA Console
- Resetting SIM
- play_arrow JSA Set Up Tasks
- JSA Set Up Tasks
- Network Hierarchy
- Automatic Updates
- Manual Updates
- Configuring System settings
- IF-MAP Server Certificates
- SSL Certificates
- IPv6 Addressing in JSA Deployments
- Advanced Iptables Rules Examples
- Data Retention
- System Notifications
- Custom Offense Close Reasons
- Configuring a Custom Asset Property
- Index Management
- Restrictions to Prevent Resource-intensive Searches
- App Hosts
- Checking the Integrity Of Event and Flow Logs
- Adding Custom Actions
- Managing Aggregated Data Views
- Accessing a GLOBALVIEW Database
- play_arrow Event Data Processing in JSA
- Event Data Processing in JSA
- DSM Editor Overview
- Properties in the DSM Editor
- Property Configuration in the DSM Editor
- Opening the DSM Editor
- Configuring a Log Source Type
- Configuring Property Autodetection for Log Source Types
- Configuring Log Source Autodetection for Log Source Types
- Configuring DSM Parameters for Log Source Types
- Custom Log Source Types
- Custom Property Definitions in the DSM Editor
- Event Mapping
- Exporting Contents from the DSM Editor
- play_arrow Using Reference Data in JSA
- play_arrow User Information Source Configuration
- play_arrow Juniper Networks X-Force Integration
- play_arrow Managing Authorized Services
- play_arrow Backup and Recovery
- play_arrow Flow Sources Management
- play_arrow Remote Networks and Services Configuration
- play_arrow Server Discovery
- play_arrow Domain Segmentation
- play_arrow Multitenant Management
- Multitenant Management
- User Roles in a Multitenant Environment
- Domains and Log Sources in Multitenant Environments
- Provisioning a New Tenant
- Monitoring License Usage in Multitenant Deployments
- Rules Management in Multitenant Deployments
- Network Hierarchy Updates in a Multitenant Deployment
- Retention Policies for Tenants
- play_arrow Asset Management
- play_arrow Configuring JSA to Forward Data to Other Systems
- Forward Data to Other Systems
- Adding Forwarding Destinations
- Configuring Forwarding Profiles
- Configuring Routing Rules to Forward Data
- Using Custom Rules and Rule Responses to Forward Data
- Configuring Routing Rules to Use the JSA Data Store
- Viewing Forwarding Destinations
- Viewing and Managing Forwarding Destinations
- Viewing and Managing Routing Rules
- play_arrow Event Store and Forward
- play_arrow Security Content
- play_arrow SNMP Trap Configuration
- play_arrow Protect Sensitive Data
- play_arrow Log Files
- play_arrow Event Categories
- play_arrow Common Ports and Servers Used by JSA
- play_arrow RESTful API
Burst Handling
JSA uses burst handling to ensure that no data is lost when the system exceeds the allocated events per second (EPS) or flows per minute (FPM) license limits.
When JSA receives a data spike that causes it to exceed the allocated EPS and FPM limits, the extra events and flows are moved to a temporary queue to be processed when the incoming data rate slows. When burst handling is triggered, a system notification alerts you that the appliance exceeded the EPS or FPM license limit.
The backlog in the temporary queue is processed in the order that the events or flows were received. The older data at the start of the queue is processed before the most recent data at the end of the queue. The rate at which the queue empties or fills is impacted by several factors, including the volume and duration of the data spike, the capacity of the appliance, and the payload size.
Hardware appliances normally can handle burst rates at least 50% greater than the appliance's stated EPS and FPM capability, and can store up to 5GB in the temporary queue. The actual burst rate capability depends upon the system load. VM appliances can achieve similar results if the VM is adequately sized and meets the performance requirements.
The burst recovery rate is the difference between the allocated rate and the incoming rate. When the volume of incoming data slows, the system processes the backlog of events or flows in the queue as fast as the recovery rate allows. The smaller the recovery rate, the longer it takes to empty the queue.
Example: Incoming Data Spike
Every morning, between 8am and 9am, a company's network experiences a data spike as employees log in and begin to use the network resources.
The company's deployment includes a JSA Event and Flow Processor combo appliance that is allocated 5,000 events per second (EPS) and 100,000 flows per minute (FPM). The average capacity for this appliance is 4,000 EPS and 70,000 FPM.
During the data spike, which peaks around 9am, the appliance routinely receives up to 6,000 EPS and 120,000 FPM. JSA automatically moves the extra events and flows (1,000 EPS and 20,000 FPM) to the burst handling queue, and generates a system notification to alert the administrator that the appliance exceeded the allocated capacity.
The following images show a two-hour window when the incoming event and flow data exceeds the licensed capacity, which triggers a system notification, and a recovery period after the data volume returns to normal.
The recovery rate is the difference between the allocated EPS or FPM amount and the current incoming data rate. In this example, when the event and flow rates return to normal, the recovery rate is 1,000 EPS and 30,000 FPM.
5,000 licensed events - 4,000 incoming events = 1,000 EPS recovery rate 100,000 licensed flows - 70,000 incoming flows = 30,000 FPM recovery rate
Offenses are not generated until the data is processed by the appliance, so it is important to allocate enough EPS and FPM to the appliance to ensure that it can recover from a data spike quickly.
