Multiple log decoders and concentrators versus log collectors in a multi-site environment?
I am planning an architecture for a multi-site (spanning multiple countries and datacenters) deployment. What are the most critical differences in...
- deploying log decoders and concentrators per site, and
- and deploying only a single log decoder and a concentrator, while handling the sites through remote log collectors?
- Community Thread
- Forum Thread
- Log Collector
- Log Decoder
- RSA NetWitness
- RSA NetWitness Platform
It depends upon the requirement, if the multiple sites doesn’t have too much load on it in the event sources integration and a vlc can handle the load of the logs and afterwards the log decoder & concentrator can also able to take the load of the EPS then VLC is okay.
But as you mentioned that there are many countries are involved, then I would recommend that please check the compliance requirement first, because many countries have the compliance that you can’t share their data with some other country and also it can’t be get reviewed.
Check the customer requirements first, if they are okay with this then you can look at best possible option.
Another thing to consider is network performance between sites.
If you have concentrators and decoders on remote sites and a slow network the user experience when investigating will be very poor.
I would suggest remote log collectors and each site and a central core of decoders.
You can load balance events from remote log collectors to multiple decoders to share the load.
A lot will depend on
-where you users will investigating from
Sent from my iPhone
Another valid use case for VLC deployment in remote sites / zones is to prevent having to open various FW ports at each site for the log collection for the various event sources back to the central Log Decoder. With VLCs, you can collect locally then open the management and RabbitMQ ports required for the SA-specific components to communicate.
I agree with Deepanshu, David and Naushad with these considerations. Deepanshu raises a very key point about compliance and national boundaries. This is an important consideration in the architecture planning. You don't want to go too far down the hardware/VM path before you know what data must stay within national boundaries.
In my experience many companies don't adequately consider VLC's in their architecture and focus simply local log collectors and hybrid devices. The load balancing capabilities are extremely valuable along with the ability to minimize log collection loss during maintenance and upgrades to the core devices.