Chronicle SOAR provides multiple deployment modes with high-availability clusters to ensure the constant availability of services. There are two layers involved in the Chronicle SOAR High Availability mechanism:

  • Application HA cluster
  • Database HA cluster

The two clusters work in a primary/secondary configuration, allowing automatic activation of Chronicle SOAR application and DB on another node if it failed for any reason (e.g hardware failure).

The overall architecture is demonstrated in the following diagram:

Chronicle SOAR High-Availability deployment contains the following components:

Application cluster

  • Application Primary Server
  • Application Secondary Server
  • Virtual IP/Load Balancer
  • Database cluster (based on PostgreSQL v10)*
  • Database Primary Server
  • Database Secondary Server

The Chronicle SOAR High Availability solution uses the following tools:

Database Cluster Tools
Repmgr (version 5.0) is an open-source tool suite for managing replication and failover in a cluster of PostgreSQL servers.
Application Cluster Tools
Pacemaker (version 1.1.19-8.el7_6.5) is an open-source high availability resource manager software used to manage resources, and ensure that they remain available in the event of a node failure
Corosync is an open source program that provides cluster membership and messaging capabilities, often referred to as the messaging layer.
Virtual IP as a load balancer – Cloud service or Pacemaker capability.
Linux cron utility is used to detect the active primary DB for the connection string.