So I am now asked to introduce a logger appliance in a proposal where I have Express as the manager. I have 2 agent servers reporting from tier 2 data centers to the main data center which has one agent server (to collect logs inside the DC itself) & one express manager to receive logs from the 3 agents, correlate & alert.
should I introduce the logger in-line in the architecture so that all agents send logs to the logger which will in turn pass the logs to the express?
(My observation: Con: Logger becomes single point of failure Pro: Only one copy of logs sent from agents via WAN (so BW efficient).
should I introduce the logger in parallel with the express so that all agents send two copies of logs, one to the logger and the other to the express?
(My observation: Pro: Redundancy to some extent even if one of the components among Express and Logger fails. Con: Two copies of logs to be sent via WAN)
any other factors to be considered? Also if I go for Option 2, is it possible to apply two different filters in the same connector instance so that Logger receives all logs (for compliance requirement) while express receives only logs that are needed for correlation from InfoSec point of view?
Apologies for the slip. I have never used "Modify Destination Settings" option in a connector agent set up . Thanks a lot that now I understand that same instance can send different set of logs to different destinations using different filters (I like twisting )
Yes, I used manager as a loose term to indicate Logger .
You have given a detailed and thorough solution to my situation. Hats off to you! After reading your response I feel I have miles to go before sleep!
I would definitely use your suggestion for subsequent assignments.
Is there a possibility of tagging multiple "Correct Answers"? In this case, I am tagging response as its the best answer but all the others have given correct answers and directions for me. I am grateful to all of them.
I'm Glad Suresh. But you need to keep it in mind. The Above Rule automation works on Logger Forwarding connector agent down audit event. For power failure or crash or glitches, If no audit event above solution won't make sense.
So better include a AL to monitor the Event activity/Connector Status as well to make this solution perfect
I have a query with the approach that was followed.
If logger is down and connector 01 that is supposed to forwards logs to logger primarily will now start sending logs to express.
How do we make sure that the missing logs are synchronized between the logger and express once the logger is up and running?
my approach/solution - all the cached logs will be forwarded from connector to logger once the logger is up. please confirm if this is correct.
Thanks in advance for your feedback
My approach will take care of it there. If the Primary is down. The connector will cache it anyway until the logger is up under Primary destination. And the Express will stop the secondary event flow from Connector once the Logger is up. There will be no missing logs there.
Logger Forwarder issues will trigger the Secondary flow to Express
And on Synchronization part it will happen anyway but there will be expected duplication. Since Primary destination will cache and forward once the logger is up.
Additional mechanism required if there is no Connector down status events and network fluctuations.