Configure Local and Remote Collectors

This topic describes how to configure Local and Remote Collectors.

When you deploy Log Collection, you must configure the Log Collectors to collect the log events from various event sources, and to deliver these events reliably and securely to the Log Decoder service, where the events are parsed and stored for subsequent analysis.

You can configure one or more Remote Collectors to push event data to a Local Collector, or you can configure a Local Collector to pull event data from one or more Remote Collectors.

This topic describes how to:

  • Configure Local Collector to Pull Events from Remote Collector

    If you want a Local Collector to pull events from Remote Collector, you set this up in the Remote Collectors tab of the Local Collector's Configuration view.

  • Configure Remote Collector to Push Events to Local Collectors

    If you want a Remote Collector to push events to a Local Collector, you set this up in the Local Collector tab of the Remote Collector's Configuration view. In the Push configuration, you can also:

    • Configure Failover Local Collector for Remote Collector

      You set up a destination made up of local collectors. When the primary Local Collector is unreachable, the Remote Collector attempts to connect to each Local Collector in this destination until it makes a successful connection.

    • Configure Replication

      You set up multiple destination groups so that NetWitness replicates the event data in each group. If the connection to one of the destination groups fails, you can recover the required data because it is replicated in the other destination group.

    • Configure Log Routing for Specific Protocols

      You set up multiple destinations in a destination group to direct event data to specific locations according to protocol type.

  • Configure Chain of Remote Collectors

    You can set up a chain of Remote Collectors to push event data to a Local Collector, or you can configure a Local Collector to pull event data from a chain of Remote Collectors.

    • You can configure one or more Remote Collectors to push event data to a Remote Collector.
    • You can configure a Remote Collector to pull event data from one or more Remote Collectors.

Failover, Replication and Load Balancing

This section describes failover, replication, and load balancing work in how NetWitness.

The following figure illustrates a Remote Collector configured for load balancing, failover and replication.

netwitness_failreplb.png

  • Failover is achieved by setting up multiple collectors in the same Destination. Destination 1 has a primary Collector, and second, failover Collector. This is done in NetWitness by adding multiple Log Collectors to the same Destination.

    netwitness_failover_config.jpg

    Since 10.101.214.8 is listed first, that becomes the primary collector, and 10.101.214.9 becomes the failover. To make 10.101.214.9 the primary, use the up arrow to change the order.

    Below, you can see the two collectors both listed for Destination 1. The primary (10.101.214.8) is in bold.

    netwitness_failover.jpg

  • Replication is accomplished by having multiple Destination Groups: each group receive the entire set of message data.

    netwitness_replicate.png

    In the following screen, you can see that message data is sent to the collectors in Group 1 and Group 2.

    netwitness_replication.jpg

  • Load balancing is achieved by setting up multiple Destinations within a Group.

    netwitness_loadbalance.png

    In the following screen, you can see that Group 1 has two destinations, Destination 1 and Destination 2. The message data is divided up equally among the Destinations in the group.

    netwitness_load_balancing.jpg

    With two Destinations, each destination receives half the message data. With three Destinations, each would receive 1/3 of the total message data. Keep adding Destinations to further reduce the load on the collectors in each destination.

Note: You can also set up log routing so that event data for specific protocols is sent to specific destinations.

Configure a Local Collector or Remote Collector

You choose the Log Collector, that is a Local Collector (LC) or Remote Collector (RC), for which you want to define deployment parameters in the Services view. The following procedure shows you how to navigate to the Services view, select a Local or Remote Collector, and display the deployment parameter interface for that service.

To configure a Local Collector or Remote Collector:

  1. Go to netwitness_adminicon_25x22.png (Admin) > Services.
  2. Select a Local or Remote Log Collection service.
  3. Under Actions, select netwitness_ic-actns.png > View > Config to display the Log Collection configuration parameter tabs.

  4. Depending on your selection in step 2:

    • If you selected a Local Collector, the Remote Collectors tab is displayed. Select the Remote Collectors from which the Local Collector pulls events in this tab.
    • If you selected a Remote Collector, the Local Collectors are displayed. Select the Local Collectors to which the Remote Collector pushes events in this tab.

Remote Collectors Tab

The following figure depicts the Remote Collectors tab for a Local Collector that is configured to pull events from a Remote Collector. NetWitness displays this tab when you have selected a Local Collector in netwitness_adminicon_25x22.png (Admin) > Services.

netwitness_remotecolltab_750x226.png

Local Collectors Tab for a Remote Collector

The following figure depicts a Local Collectors tab for a Remote Collector that is configured to push events to a Local Collector or another Remote Collector.

netwitness_localcoll.png

The following figure depicts the Local Collectors tab for a Remote Collector that is configured to pull events from a Remote Collector. NetWitness displays this tab when you have selected a Remote Collector in netwitness_adminicon_25x22.png (Admin) > Services.

netwitness_vlc_colltab_pul.png

Parameters

Remote/Local Collectors Configuration Parameters