So I am now asked to introduce a logger appliance in a proposal where I have Express as the manager. I have 2 agent servers reporting from tier 2 data centers to the main data center which has one agent server (to collect logs inside the DC itself) & one express manager to receive logs from the 3 agents, correlate & alert.
should I introduce the logger in-line in the architecture so that all agents send logs to the logger which will in turn pass the logs to the express?
(My observation: Con: Logger becomes single point of failure Pro: Only one copy of logs sent from agents via WAN (so BW efficient).
should I introduce the logger in parallel with the express so that all agents send two copies of logs, one to the logger and the other to the express?
(My observation: Pro: Redundancy to some extent even if one of the components among Express and Logger fails. Con: Two copies of logs to be sent via WAN)
any other factors to be considered? Also if I go for Option 2, is it possible to apply two different filters in the same connector instance so that Logger receives all logs (for compliance requirement) while express receives only logs that are needed for correlation from InfoSec point of view?