Is it possible to deploy a SA ecosystem with zero concentrators? My suggestion/use case would be the following:
- n log decoders,
- 1 archiver
- 1 broker
First of all, am I able to aggregate sessions from multiple log decoders should n > 1? Second, would I be able to minimize storage requirements this way, since I would not have store a long-term packetdb on the log decoder, because archiver stores raw logs as well? Third, is the broker necessary? I included it only because if one manually navigates to Investigate - at least in 10.5.1 - the service selection for investigation does not include archivers (however, choosing investigate for an archiver IS possible at least via the services dashlet, which is included in the default dashboard).
Basically I can only think of the drawback that with archiver I am not able to separate the index onto SSDs even if I wanted to. Are there really any other downsides to going with an archiver instead of a concentrator? I am of course presuming that the performance setback of the compression is accepted as part of the solution.