When you deploy Log Collection, you must configure the Log Collectors to collect the log events from various event sources, and to deliver these events reliably and securely to the Log Decoder host, where the events are parsed and stored for subsequent analysis.
You can configure one or more Remote Collectors to push event data to a Local Collector, or you can configure a Local Collector to pull event data from one or more Remote Collectors.
Return to Procedures.
This topic tells you how to:
- Pull Events from Remote Collector
If you want a Local Collector to pull events from Remote Collector, you set this up in the Remote Collectors tab of the Local Collector's Configuration view.
- Push Events to Local Collectors
If you want a Remote Collector to push events to a Local Collector, you set this up in the Local Collector tab of the Remote Collector's Configuration view. In the Push configuration, you can also:
- Configure Failover Local Collector
You set up a destination made up of local collectors. When the primary Local Collector is unreachable, the Remote Collector attempts to connect to each local collector in this destination until it makes a successful connection.
- Configure Log Routing for Specific Protocols
You set up multiple destinations in a destination group to direct event data to specific locations according to protocol type.
- Configure Replication
You set up multiple destination groups so that Security Analytics replicates the event data in each group. If the connection to one of the destination groups fails, you can recover the required data because it is replicated in the other destination group.
- Configure Failover Local Collector
- Configure Chain of Remote Collectors
You can set up a chain of Remote Collectors to push event data to a Local Collector, or you can configure a Local Collector to pull event data from a chain of Remote Collectors.
- One or more Remote Collectors to push event data to a Remote Collector.
- A Remote Collector to pull event data from one or more Remote Collectors.
Failover and Replication
The following figure illustrates a Remote Collector configured for failover and replication.
In Destination Group 1, LC-2 and LC-3 are the failover local collectors configured for LC-1. If the Remote Collector
cannot connect to LC1 for some reason, the Remote Collector attempts to connect to LC-2 or LC-3 until it makes a
Destination Group 1 and Destination Group 2 are configured for replication. If Local Collector in Destination Group 1
fails, you can use the data replicated in the Local Collector in the destination Group 2.
Note: You can also set up log routing so that event data for specific protocols is sent to specific destinations.
For more information, see Configure Log Routing for Specific Protocols.
You choose the Log Collector, that is a Local Collector (LC) or Remote Collector (RC), for which you want to define deployment parameters in the Services view. The following procedure shows you how to navigate to the Services view, select a Local or Remote Collector, and display the deployment parameter interface for that service.
- In the Security Analytics menu, select Administration > Services.
- Select a Log Collector service.
- Click under Actions and select View > Config to display the Log Collection configuration parameter tabs.
- In step 2, if you selected a log collector service for a:
- Local Collector, the Remote Collectors tab is displayed. Select the Remote Collectors from which the Local Collector pulls events in this tab.
- Remote Collector, the Local Collectors are displayed. Select the Local Collectors to which the Remote Collector pushes events in this tab.