This topic tell
s you how to configure a Local Collector to pull Events from a Remote Collector.
After completing this procedure, you will have configured a Local Collector to pull Events from a Remote Collector.
Configure Local Collector to Pull Events from Remote Collector
You can configure a Local Collector to pull event data from one or more Remote Collectors.
The following figures shows you how to configure a Local Collector to pull events from a Remote Collector.
Access the Services view.
Select a Log Collector service.
Click under Actions and select View > Config to display the Log Collection configuration parameter tabs.
Select the Remote Collectors tab and click to display to display the Add Source dialog.
Specify a Remote Collector from which the Local Collector pulls events. Specify the Collection protocols to pull.
Newly added Remote Collector displays in the Remote Collector tab.
Configure the Selected Local Collector to Pull Events from Specified Remote Collector
- In the Security Analytics menu, select Administration > Services.
- In Services, select a Local Collector.
- Click under Actions and select View > Config.
The Service Config view is displayed with the Log Collector General tab open.
- Click the Settings tab.
- Select the Remote Collectors tab.
- Click .
The Add Source dialog displays.
In the Add Source dialog:
- Select a Remote Collector from the drop-down list.
Select one or more collection protocols.
Note: If you do not select a collection protocol, the Local Collector pulls all collection protocols from the Remote Collector.
- Click OK.
The Remote Collector is added to the Remote Collector section. When the Log Collector starts collecting data, it pulls event data from this Remote Collector.
The following tab shows File as the only protocol selected.
The following tab shows all protocols selected. Security Analytics select all protocols if you leave the Collections field blank.
Note: The RabbitMQ may drop events between a Remote Collector and Local Collector due to low bandwidth as it utilizes high memory, thus setting off memory_alarm. For more information on the RabbitMQ behaviour, refer to https://www.rabbitmq.com/blog/2012/05/11/some-queuing-theory-throughput-latency-and-bandwidth/.
Reference - Remote/Local Collectors Configuration Parameters Interface