Log Collection Deployment: The Basics

Document created by RSA Information Design and Development on Oct 23, 2017
Version 1Show Document
  • View in full screen mode

This topic outlines the basic procedures you complete to deploy Log Collection to meet the needs of your enterprise

How You Deploy Log Collection

You can deploy Log Collection according to needs and preferences of your enterprise. This includes deploying Log Collection across multiple locations and collect data from varying sets of event sources. You do this by setting up a Local Collector with one or many Remote Collectors.

Components of Log Collection

The following figure shows all the components involved in event collection through the Security Analytics Log Collector.


For more information on Log Collector Event Source content, see the topic Configure Event Sources to Send Events to Security Analytics in the Log Collection Configuration Guide.

Local and Remote Collectors

The following figure illustrates how the Local and Remote Collectors interact to collect events from all of your locations.

In this scenario, log collection from various protocols like Windows, ODBC, and so on, is performed through both the Remote Collector and Log Collector service. If the log collection is done by the Local Collector, it is forwarded to the Log Decoder service, just like the local deployment scenario. If the log collection is done by a Remote Collector, there are two methods in which these are transferred to the Local Collector:

  • Pull Configuration - From a Local Collector, you select the Remote Collectors from which you want to pull events.
  • Push Configuration - From a Remote Collector, you select the Local Collector to which you want to push events.

You can configure one or more Remote Collectors to push event data to a Local Collector, or you can configure a Local Collector to pull event data from one or more Remote Collectors.

For 10.4 Remote Collector and later releases, you can set up a chain of Remote Collectors for which you can configure:

  • One or more Remote Collectors to push event data to a Remote Collector.
  • A Remote Collector to pull event data from one or more Remote Collectors.

Note:  For Remote Collector chaining, you can only:
Push data from a 10.4 or later Remote Collector to other 10.4 or later Remote Collectors or 10.4 or later Local Collectors.
Use a 10.4 or later Remote Collector to pull data from one or more 10.4 or later Remote Collectors.


Windows Legacy Remote Collector

The following figure illustrates the deployment required to collect events from Windows Legacy (Windows 2003/2000 and NetApp) event sources).


Next Topic:Procedures
You are here
Table of Contents > Log Collection Deployment Guide > The Basics