Broker and Concentrator Basics

Document created by RSA Information Design and Development on Sep 14, 2017Last modified by RSA Information Design and Development on Sep 18, 2017
Version 4Show Document
  • View in full screen mode

Concentrators and Brokers aggregate data captured or aggregated by other services unlike Decoders, which capture data,

NetWitness Suite supports the Broker and Concentrator services:

  • Brokers - aggregate data across entire infrastructure from configured Concentrators. You can have multiple concentrators aggregating into one broker. You can also have multiple brokers aggregating into a single broker.
  • Concentrators - aggregates and analyzes data across multiple capture locations from Decoders. Indexes and directs queries.

You can configure various Brokers and Concentrators together under a Broker. Brokers are able to pull in data quickly from the Concentrators because they acquire index information only. This configuration is done using the NetWitness Suite user interface. Most of the configuration is performed in the Administration Services view (Admin > Services).

For most Configuration tasks, click Admin > Services

You can also configure the aggregate services and perform the whole aggregation process using the Services view. This helps setup Aggregation autostart, Timing and performance parameters, maximum number of open meta and session files. In addition to this, you can also time the attempts to restart, reconnect, or take offline a non-responsive aggregate service. Configuring Aggregate services includes managing Concentrators and Decoders as aggregate services. You can also limit the data being consumed from an aggregate service using meta fields and filters. The aggregation tasks are performed in the General tab of Administration Services view (Admin > Services).

Aggregate tasks are under General tab



You are here
Table of Contents > Broker and Concentrator Basics