Configure Local and Remote Collectors

Document created by RSA Information Design and Development on Sep 11, 2017Last modified by RSA Information Design and Development on Oct 12, 2017
Version 7Show Document
  • View in full screen mode
  

This topic tells you how to configure Local and Remote Collectors.

When you deploy Log Collection, you must configure the Log Collectors to collect the log events from various event sources, and to deliver these events reliably and securely to the Log Decoder host, where the events are parsed and stored for subsequent analysis.

You can configure one or more Remote Collectors to push event data to a Local Collector , or you can configure a Local Collector to pull event data from one or more Remote Collectors.

This topic tells you how to:

  • Configure Local Collector to Pull Events from Remote Collector
    If you want a Local Collector to pull events from Remote Collector, you set this up in the Remote Collectors tab of the Local Collector's Configuration view.
  • Configure Remote Collector to Push Events to Local Collectors
    If you want a Remote Collector to push events to a Local Collector , you set this up in the Local Collector tab of the Remote Collector's Configuration view. In the Push configuration, you can also: 
    • Configure Failover Local Collector for Remote Collector

      You set up a destination made up of local collectors.  When the primary Local Collector is unreachable, the Remote Collector  attempts to connect to each Local Collector in this destination until it makes a successful connection.

    • Configure Replication

      You set up multiple destination groups so that NetWitness replicates the event data in each group. If the connection to one of the destination groups fails, you can recover the required data because it is replicated in the other destination group.

    • Configure Log Routing for Specific Protocols

      You set up multiple destinations in a destination group to direct event data to specific locations according to protocol type.

  • Configure Chain of Remote Collectors

    You can set up a chain of Remote Collectors to push event data to a Local Collector , or you can configure a Local Collector to pull event data from a chain of Remote Collectors.

    • One or more Remote Collectors to push event data to a Remote Collector.
    • A Remote Collector to pull event data from one or more Remote Collectors.

Failover, Replication and Load Balancing

This section describes failover, replication, and load balancing work in how RSA NetWitness Suite.

The following figure illustrates a Remote Collector configured for load balancing, failover and replication.

Example illustrates a Remote Collector configured for load balancing, failover, and replication.

  • Failover is achieved by setting up multiple collectors in the same Destination. Destination 1 has a primary Collector, and second, failover Collector. This is done in NetWitness Suite by adding multiple Log Collectors to the same Destination.

    Example shows multiple Log Collector addresses that correspond to the same destination.

    Since 10.101.214.8 is listed first, that becomes the primary collector, and 10.101.214.9 becomes the failover. To make 10.101.214.9 the primary, use the up arrow to change the order.

    Below, you can see the two collectors both listed for Destination 1. The primary (10.101.214.8) is in bold.

      Example shows two Log Collectors listed for Destination 1.

  • Replication is accomplished by having multiple Destination Groups: each group receive the entire set of message data.

    Example of replication that is accomplished by having multiple Destination Groups.

    In the following screen, you can see that message data is sent to the collectors in Group 1 and Group 2.

    Example of message data that is sent to collectors in Group 1 and Group 2.

  • Load balancing is achieved by setting up multiple Destinations within a Group.

    Load balancing is achieved by setting up multiple Destinations within a Group.

    In the following screen, you can see that Group 1 has two destinations, Destination 1 and Destination 2. The message data is divided up equally among the Destinations in the group.

    Message data is divided up equally among the Destinations in the group.

    With two Destinations, each destination receives half the message data. With three Destinations, each would receive 1/3 of the total message data. Keep adding Destinations to further reduce the load on the collectors in each destination.

Note: You can also set up log routing so that event data for specific protocols is sent to specific destinations.

Configure a Local Collector or Remote Collector

You choose the Log Collector , that is a Local Collector (LC) or Remote Collector (RC), for which you want to define deployment parameters in the Services view. The following procedure shows you how to navigate to the Services view, select a Local or Remote Collector, and display the deployment parameter interface for that service.

To configure a Local Collector or Remote Collector:

  1. Go to ADMIN > Services.
  2. Select a Local or Remote Log Collection service.
  3. Under Actions, select   > View > Config to display the Log Collection configuration parameter tabs.
  4. Depending on your selection in step 2:

    • If you selected a Local Collector , the Remote Collectors tab is displayed. Select the Remote Collectors from which the Local Collector pulls events in this tab.
    • If you selected a Remote Collector, the Local Collectors are displayed. Select the Local Collectors to which the Remote Collector pushes events in this tab.

Remote Collectors Tab

The following figure depicts the Remote Collectors tab for aLocal Collector that is configured to pull events from a Remote Collector . NetWitness Suite displays this tab when you have selected a Local Collector in Admin > Services.

Example of the Remote Collectors tab.

Local Collectors Tab for a Remote Collector

The following figure depicts a Local Collectors tab for a Remote Collector that is configured to push events to a Local Collector or another Remote Collector.

Example of the Local Collectors tab.

The following figure depicts the Local Collectors tab for a Remote Collector that is configured to pull events from a Remote Collector . NetWitness Suite displays this tab when you have selected a Remote Collector in Admin > Services.

Example of the Remote Collectors tab.

Parameters

Remote/Local Collectors Configuration Parameters

You are here
Table of Contents > Setup > Add Local and Remote Collectors > Configure LC/RC

Attachments

    Outcomes