Broker and Concentrator Basics

Concentrators and Brokers aggregate data captured or aggregated by other services unlike Decoders, which capture data.

NetWitness supports the following Broker and Concentrator services:

  • Brokers - aggregate data across entire infrastructure from configured Concentrators. You can have multiple concentrators aggregating into one broker. You can also have multiple brokers aggregating into a single broker.
  • Concentrators - aggregates and analyzes data across multiple capture locations from decoders, indexes and directs queries.

You can configure various Brokers and Concentrators together under a Broker. Brokers are able to pull in data quickly from the Concentrators because they acquire index information only. This configuration is done using the NetWitness user interface. Most of the configuration is performed in the Administration Services view ( netwitness_adminicon_25x22.png (Admin) > Services).

netwitness_121_adminservices_brcrcon_1122.png

You can also configure the aggregate services and perform the whole aggregation process using the Services view. This helps setup aggregation autostart, timing and performance parameters, maximum number of open meta and session files. In addition to this, you can also time the attempts to restart, reconnect, or take a non-responsive aggregate service offline. Configuring Aggregate services includes managing Concentrators and Decoders as aggregate services. You can also limit the data being consumed from an aggregate service using meta fields and filters. The aggregation tasks are performed in the General tab of Administration Services view ( netwitness_adminicon_25x22.png (Admin) > Services).