Log Collection Deployment: Configure Chain of Remote Collectors

Document created by RSA Information Design and Development on Nov 22, 2016Last modified by RSA Information Design and Development on May 4, 2017
Version 10Show Document
  • View in full screen mode
  

This topic describes how to chain Remote Collectors (also referred to as VLCs).

You can set up a chain of Remote Collectors to push event data to a Remote Collector, or you can configure a Remote Collector to pull event data from a chain of Remote Collectors.

  • Remote Collectors to push event data to a Remote Collector.
  • A Remote Collector to pull event data from one or more Remote Collectors.

Note: For Remote Collector chaining, you can only:
Push data from a 10.4 or later Remote Collector to other 10.4 or later Remote Collectors or 10.4 or later Local Collectors.
Use a 10.4 or later Remote Collector to pull data from one or more 10.4 or later Remote Collectors.

Procedures

Configure Remote Collector to Push Event Data to Remote Collector

You can configure a Remote Collector to push event data to a Remote Collector.

The following figure shows you how to configure a Remote Collector to push event data to a Remote Collector.

AddRCLA1(simple).png

Access the Services view.

RCParamConfigNav.png

Select a Remote Collector.

Click AdvcdExpandBtn.PNGunder Actions and select View > Configto display the Log Collection configuration parameter tabs.

VLC_Chaining1.png

Select the Local Collectors tab, select Destinations in Select Configuration drop-down menu, and click Icon-Add.png  in Destination Groups to display the Add Remote Destinations dialog.

Set up the Destination Groups.

Configure the Selected Remote Collector to Push Events to Specified Remote Collector

  1. In the Security Analytics menu, select Administration > Services.
  2. In Services, select a Remote Collector.
  3. Click AdvcdExpandBtn.PNGunder Actions and select View > Config.
    The Log Collector Service Config view is displayed with the Log Collector General tab open.
  4. Select the Local Collectors tab.
  5. Select Destinations in the Select Configurations drop-down menu.
  1. In the Destination Groups panel section, select Icon-Add.png.
    The Add Remote Destination dialog is displayed.
  2. Set up a Destination Group:
    1. Enter a Destination Name.
    2. (Optional) Enter a Group Name. If you leave Group Name blank, Security Analytics sets it to the value that you specified in Destination Name.
    3. Select one or more collection protocols in the Collections drop-down list.
    4. Under Log Collectors Addresses, click  Icon-Add.png to select a Remote Collector.

Note: If you do not select a collection protocol, the Remote Collector pushes all collection protocols to the Remote Collectors.

Configure Remote Collector to Pull Event Data from a Remote Collector

The following figure shows you how to configure a Remote Collector to pull events from specified Remote Collector.

AddRCLA1(simple).png

Access the Services view.

RCParamConfigNav.png

Select a Remote Collector.

Click AdvcdExpandBtn.PNGunder Actions and select View > Config to display the Log Collection configuration parameter tabs.

VLC_Chaining2.png

Select the Local Collectors tab, select Sourcesin
Select Configurations drop-down menu, and click Icon-Add.png in
Remote Collectors to display the Add Sourcedialog.

In the Add Source dialog, select the Remote Collector from which you want to pull events.

Configure the Selected Remote Collector to Pull Events from Specified Remote Collector

  1. In the Security Analytics menu, select Administration > Services.
  2. In Services, select a Remote Collector.
  3. Click AdvcdExpandBtn.PNGunder Actions and select View > Config.
    The Service Config view is displayed with the Log Collector General tab open.
  4. Select the Local Collectors tab.
  5. Select Sources in the Select Configurations drop-down menu.
  6. In the Remote Collectors panel, select Icon-Add.png.
    The Add Source dialog is displayed.
  7. In the Add Source dialog:
    1. Select one or more collection protocols.
      If you do not select a collection protocol, the Remote Collector pulls all collection protocols from the Remote Collector.
    2. Click OK.

AddSrcRCPullRC.png
The Remote Collector is added to the Remote Collector section. When the Log Collector starts collecting data, it pulls event data from this Remote Collector.

Parameters

Reference - Remote/Local Collectors Configuration Parameters Interface

You are here
Table of Contents > Log Collection Deployment Guide > Procedures > Configure Chain of Remote Collectors

Attachments

    Outcomes