ArcSight high availability nodes and licensing
Resilience is a design requirement, not a doubling of consumption, but an audit does not always read it that way. ArcSight high availability nodes and licensing become a finding when standby, failover, and cluster members are counted as if each were carrying full production load, turning a single resilient service into two or more billable deployments.
ArcSight reached the OpenText estate through the Micro Focus acquisition that closed on January 31, 2023, and is governed by the Additional License Authorizations rather than the OpenText EULA. A well designed SIEM is built for resilience, with standby nodes ready to take over, cluster members sharing load, and failover targets that sit idle until they are needed. The defensive question is simple: which of these nodes is actually consuming licensed capacity, and which are present only to keep the service available? The answer is in the authorization, not in a raw node count.
Why a node count is not a capacity count
Counting nodes is easy. Counting licensed capacity is the real exercise, and the two are not the same. A standby node that processes nothing until a failover event is not carrying production load. A cluster of members that share a single workload between them is not the same as the same number of independent full load deployments. An audit that lists every node and prices each at full capacity is measuring the topology, not the entitlement. The corrective is to establish what each node actually does in steady state and to hold the count to the role each node plays, against whatever the authorization says about standby and failover rights.
High availability multiplies nodes to protect a service, not to multiply consumption. A finding that prices a standby or failover node as a full production deployment counts resilience as if it were growth.
Where the high availability finding inflates
The inflation in a resilient ArcSight deployment usually comes from a few recognisable places. Each is a question about role, not about presence.
- Idle standby nodes. Failover targets that process no production load until they are activated, counted as live capacity.
- Cluster double counting. Members that share a single workload summed as though each carried the full load independently.
- Disaster recovery sites. A second site held in reserve, counted as a full duplicate of the primary rather than as recovery capacity.
- Cold and warm spares. Hardware staged for replacement, configured but not in production use.
Reconstruct against standby and failover rights
The four Rs apply directly. Respond inside the seven day notice window and route every topology request through a single controlled channel so each node is described once, by role. Reconstruct the effective position by mapping each node to what it actually does in steady state, and by reading the authorization for any standby, failover, or disaster recovery rights that bear on how those nodes are counted. Rebut the finding line by line, removing idle standby and double counted cluster capacity. Resolve on terms that fix how resilient capacity is treated so the next measurement does not relitigate the topology.
A recent engagement
In a recent engagement an ArcSight finding had counted a resilient deployment by listing every node, including idle failover targets and a disaster recovery site, and pricing each as full production capacity. Mapping each node to its actual steady state role and reading the authorization for standby treatment corrected the finding without inventing any new facts about the architecture. The discipline mirrors the way burst is separated from sustained in an EPS matter: the measure that matters is the load actually carried, not the maximum the topology could theoretically hold.
Hold the count to the role
With high availability more than most topics, the audit benefits from ambiguity about what a node is for. A node listed without its role looks like capacity. A node described by what it does in steady state looks like what it is. The defensive discipline is to insist that every node be characterised by role, to read the authorization for standby and failover rights, and to hold the count to the capacity actually consumed. Most of the reduction in a high availability matter comes from establishing that resilience nodes were built to protect a service, not to expand a licensed footprint, and that the finding measured the architecture rather than the entitlement.
Counted on every node in a resilient ArcSight deployment?
We map each node to its steady state role, read the authorization for standby and failover rights, and reprice the finding against capacity actually consumed. To get a defense team on the file, open a case or download the ArcSight EPS defense briefing.
Get The Number Down →Related field notes
These notes from the ArcSight and Security audit defense cluster cover deployment, capacity, and measurement. Each links back to the complete OpenText audit defense playbook for 2026.
- ArcSight EPS burst versus sustained measurement
- how ArcSight non production and lab data is counted
- ArcSight transformation hub and event broker licensing
- reconciling ArcSight entitlements before an audit
- can OpenText measure peak EPS against your license
If an OpenText or Micro Focus audit notice has landed, the first seven days weigh more than any week that follows. OpenText Audit Defense is an independent, buyer side practice founded in 2020 by former vendor compliance leadership. We have defended more than 200 audits, brought the average finding down by 68 percent, and mitigated more than $90M in claims against vendor positions. We do not resell OpenText software and we are not affiliated with OpenText Corporation. To open a case, use the contact form on this site.