This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Log Hybrid vs individual Log Decoder and Log Concentrator Applicances

Anonymous
Not applicable

‎2022-10-16 01:18 AM

What is the general rule of thumb for decided if to use a log hybrid vs separate concentrator and decoder appliances.

 

I currently have an Endpoint log hybrid for all endpoint logs, but it's also being used for firewall, active directory, azure etc. I'm looking to separate out the Endpoint logs from non endpoint logs and wanted to know what's the rule of thumb.

 

don't tell me it's 'professional services'

Labels:
0 Likes
2 REPLIES 2

Anonymous
Not applicable

‎2022-10-19 10:40 AM

i don't think that there's a rule of thumb.

If you have a larger install base of endpoints > 10k or so, i would send the other Event sources to a different decoder.

It depends on the volume of the other traffic and if you are consume windows logs from your endpoints.

0 Likes

Anonymous
Not applicable
In response to Anonymous

‎2022-10-20 06:48 AM

We certainly are sending windows logs from endpoints to the endpoint log hybrid along with sysmon events.

My question was also referring to the use of separate decoder and concentrator appliances compared to log hybrids, I see a big 'single point of failure' having everything going to a single virtual machine.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.