Log Collection Deployment: Pull Events from Remote Collector

Document created by RSA Information Design and Development on Mar 23, 2017Last modified by RSA Information Design and Development on May 4, 2017
Version 4Show Document
  • View in full screen mode
  

This topic tell

s you how to configure a Local Collector to pull Events from a Remote Collector.

After completing this procedure, you will have configured a Local Collector to pull Events from a Remote Collector.

Configure Local Collector to Pull Events from Remote Collector

You can configure a Local Collector to pull event data from one or more Remote Collectors.

The following figures shows you how to configure a Local Collector to pull events from a Remote Collector.

AddRCLA1(simple).png

Access the Services view.

LCParamConfigNav.png

Select a Log Collector service.

Click AdvcdExpandBtn.PNGunder Actions and select View > Config to display the Log Collection configuration parameter tabs.

RCTab.png

Select the Remote Collectors tab and click Icon-Add.png to display to display the Add Source dialog.

Specify a Remote Collector from which the Local Collector pulls events. Specify the Collection protocols to pull.

Newly added Remote Collector displays in the Remote Collector tab.

Configure the Selected Local Collector to Pull Events from Specified Remote Collector

  1. In the Security Analytics menu, select Administration > Services.
  2. In Services, select a Local Collector.
  3. Click AdvcdExpandBtn.PNGunder Actions and select View > Config.
    The Service Config view is displayed with the Log Collector General tab open.
  4. Click the Settings tab.
  5. Select the Remote Collectors tab.
  6. Click Icon-Add.png.
    The Add Source dialog displays.
  7. In the Add Source dialog:

    1. Select a Remote Collector from the drop-down list.
    2. Select one or more collection protocols.

      RCAddSrc.png

      Note: If you do not select a collection protocol, the Local Collector pulls all collection protocols from the Remote Collector.

    3. Click OK.

The Remote Collector is added to the Remote Collector section. When the Log Collector starts collecting data, it pulls event data from this Remote Collector.

The following tab shows File as the only protocol selected.


The following tab shows all protocols selected. Security Analytics select all protocols if you leave the Collections field blank.

Note: The RabbitMQ may drop events between a Remote Collector and Local Collector due to low bandwidth as it utilizes high memory, thus setting off memory_alarm. For more information on the RabbitMQ behaviour, refer to https://www.rabbitmq.com/blog/2012/05/11/some-queuing-theory-throughput-latency-and-bandwidth/.

Parameters

Reference - Remote/Local Collectors Configuration Parameters Interface

You are here
Table of Contents > Log Collection Deployment Guide > Procedures > Configure Local and Remote Collectors > Pull Events from Remote Collector

Attachments

    Outcomes