Log Collection Deploy: Configure Local and Remote Collectors

Document created by RSA Information Design and Development on Jul 29, 2016
Version 1Show Document
  • View in full screen mode
 

When you deploy Log Collection, you must configure the Log Collectors to collect the log events from various event sources, and to deliver these events reliably and securely to the Log Decoder host, where the events are parsed and stored for subsequent analysis.

You can configure one or more Remote Collectors to push event data to a Local Collector, or you can configure a Local Collector to pull event data from one or more Remote Collectors.

Return to Procedures.

This topic tells you how to:

  • Pull Events from Remote Collector
    If you want a Local Collector to pull events from Remote Collector, you set this up in the Remote Collectors tab of the Local Collector's Configuration view.
  • Push Events to Local Collectors
    If you want a Remote Collector to push events to a Local Collector, you set this up in the Local Collector tab of the Remote Collector's Configuration view. In the Push configuration, you can also: 
    • Configure Failover Local Collector
      You set up a destination made up of local collectors.  When the primary Local Collector is unreachable, the Remote Collector  attempts to connect to each local collector in this destination until it makes a successful connection.
    • Configure Log Routing for Specific Protocols
      You set up multiple destinations in a destination group to direct event data to specific locations according to protocol type.
    • Configure Replication
      You set up multiple destination groups so that Security Analytics replicates the event data in each group. If the connection to one of the destination groups fails, you can recover the required data because it is replicated in the other destination group.
  • Configure Chain of Remote Collectors
    You can set up a chain of Remote Collectors to push event data to a Local Collector, or you can configure a Local Collector to pull event data from a chain of Remote Collectors.
    • One or more Remote Collectors to push event data to a Remote Collector.
    • A Remote Collector to pull event data from one or more Remote Collectors.

Failover and Replication

The following figure illustrates a Remote Collector configured for failover and replication.

In Destination Group 1, LC-2 and LC-3 are the failover local collectors configured for LC-1. If the Remote Collector
cannot connect to LC1 for some reason, the Remote Collector attempts to connect to LC-2 or LC-3 until it makes a
successful connection.

Destination Group 1 and Destination Group 2 are configured for replication. If Local Collector in Destination Group 1
fails, you can use the data replicated in the Local Collector in the destination Group 2.

Note: You can also set up log routing so that event data for specific protocols is sent to specific destinations.
For more information, see Configure Log Routing for Specific Protocols.

v10.3_DestinationGroupsDiagram_LC-tce.png

Procedure

You choose the Log Collector, that is a Local Collector (LC) or Remote Collector (RC), for which you want to define deployment parameters in the Services view. The following procedure shows you how to navigate to the Services view, select a Local or Remote Collector, and display the deployment parameter interface for that service.

  1. In the Security Analytics menu, select Administration > Services.
  2. Select a Log Collector service.
  3. Click under Actions and select View > Config to display the Log Collection configuration parameter tabs.
  4. In step 2, if you selected a log collector service for a:
    • Local Collector, the Remote Collectors tab is displayed. Select the Remote Collectors from which the Local Collector pulls events in this tab.
    • Remote Collector, the Local Collectors are displayed. Select the Local Collectors to which the Remote Collector pushes events in this tab.
You are here: Log Collection Deployment Guide > Procedures > Log Collection Deploy: Configure Local and Remote Collectors

Attachments

    Outcomes