Log Collection Architecture

Document created by RSA Information Design and Development on Sep 11, 2017Last modified by RSA Information Design and Development on Oct 12, 2017
Version 7Show Document
  • View in full screen mode
  

This topic describes how NetWitness Suite performs log collection.

How You Deploy Log Collection

You can deploy Log Collection according to needs and preferences of your enterprise. This includes deploying Log Collection across multiple locations and collect data from varying sets of event sources. You do this by setting up a Local Collector with one or many Remote Collectors.

Components of Log Collection

The following figure shows all the components involved in event collection through the NetWitness Suite Log Collector.

Example shows all the components involved in log collection through the NetWitness Suite.

Local and Remote Collectors

The following figure illustrates how the Local and Remote Collectors interact to collect events from all of your locations.

In this scenario, log collection from various protocols like Windows, ODBC, and so on, is performed through both the Remote Collector and Log Collector service. If the log collection is done by the Local Collector , it is forwarded to the Log Decoder service, just like the local deployment scenario. If the log collection is done by a Remote Collector, there are two methods in which these are transferred to the Local Collector :

  • Pull Configuration - From a Local Collector , you select the Remote Collectors from which you want to pull events.
  • Push Configuration - From a Remote Collector, you select the Local Collector to which you want to push events.

Note: The typical use case is Push. Pull is available if you have a DMZ in your environment. Less secure network segments are not allowed to make connections to more secure network segments. With Pull, the Log Collector (or Virtual Log Collector) in the secure network initiates the connection to the VLC in the less secure network, and the logs are then transferred without breaking the connection rules.

You can configure one or more Remote Collectors to push event data to a Local Collector , or you can configure a Local Collector to pull event data from one or more Remote Collectors.

Additionally, you can set up a chain of Remote Collectors for which you can configure:

  • One or more Remote Collectors to push event data to a Remote Collector.
  • A Remote Collector to pull event data from one or more Remote Collectors.

Example shows a Remote Collector pulling event data from one or more Remote Collectors.

Windows Legacy Remote Collector

The RSA NetWitness® Suite Windows Legacy Collector is a Microsoft Windows based remote log collector (RC) which can be installed on a Windows domain.

It supports collection from:

  • Windows 2003 and earlier event sources
  • NetApp ONTAP host evt files

The following figure illustrates the deployment required to collect events from Windows Legacy event sources.

Example illustrates the deployment required to collect events from Windows Legacy event sources.

Previous Topic:About Log Collection
You are here
Table of Contents > Log Collection Architecture

Attachments

    Outcomes