I just wanted a clearer understanding of the flow of raw logs and metadata and how and where they're stored within the RSA SA architecture componentry.
My current understanding is, the raw logs are sent via the VLCs to the Log Decoder. They are processed by the built-in Log Collector service on the Log Decoder before being parsed, is that right? Or are they sent directly for parsing to the Log Decoder from the VLCs?
Now, once parsed, the raw logs are stored on the Decoder as well as sent to the Archiver (if deployed and configured), and the metadata (metakey + metavalue) is sent to the Concentrator for indexing.
At the Concentrator, the metadata is stored and indexed, and then sent to the ESA (if deployed and configured), where alerts are generated and stored.
In summary, here's my understanding of storage on each component.
1. Raw logs are stored on the Decoder and Archiver only
2. Metadata is stored on the Concentrator only
3. Correlation alerts are stored on ESA only
4. Basic alerts are stored on the Decoder only
5. The Broker does not store raw logs, metadata or alerts
However, if the above is true, my question is when we investigate via the SA console and select a Concentrator, how do we get a raw log view of the event, if the Concentrator doesn't store raw logs?