A Distributed Architecture distributes functionalities across multiple locations for scalability, fault tolerance, and high availability. You can implement this type of architecture in Logpoint to distribute log collection, normalization, and analytics functionalities across various Logpoints, Syslog Forwarders, and Logpoint Collectors to create a Distributed Logpoint.
A Standalone Logpoint has all the functionalities, including log collection, normalization, and analytics, in a single Logpoint instance.
Standalone Logpoint¶
As more devices are added to a network, more Events Per Second (EPS) produce a high volume of logs. As the logs grow, we can vertically scale by adding more processing power, memory, and storage to handle the increasing number of logs. However, there are limitations to vertical scaling. Additionally, it also creates a single point of failure. For that reason, a distributed architecture handles the high volumes of logs and increases fault tolerance.
Important
All Logpoints in a distributed architecture must have the same version of Logpoint installed.
A Distributed Syslog Forwarder distributes the functionality of Logpoint between a Syslog Forwarder and Logpoints. Devices in your network send logs to a Syslog Forwarder. The Syslog Forwarder collects and normalizes the logs and forwards them to a Logpoint via a TCP connection on port 514.
Distributed Syslog Forwarder Logpoint¶
To learn how to add a Syslog Forwarder to a Logpoint, go to Adding a Syslog Forwarder.
Distributed Logpoint Collector distributes the functionality of a Logpoint between a Logpoint Collector and Logpoints. Devices in your network are connected to a Logpoint Collector, which then forwards logs to Logpoint via a VPN-connected network.
Distributed Logpoint Collector¶
To learn how to add a Logpoint Collector to a Logpoint, go to Configuring Distributed Collectors.
Distributed Logpoint or DLP distributes the functionality of a Standalone Logpoint into various Logpoints, Logpoint Collectors, and Syslog Forwarders. The key defining component of a Distributed Logpoint is the presence of a High Availability Logpoint. A High Availability Logpoint has all the configuration and logs duplicated to create a failsafe in case of failure.
Distributed Logpoint¶
You can collect, index, and store logs in multiple Logpoints and search through them from a single main Logpoint, the Search Head. Search Head performs analytics functionality rather than log normalization or storage. This Logpoint is primarily used to create dashboards and monitor, configure, and analyze the logs on the connected Logpoints.
Distributed Logpoint, Distributed Syslog Forwarders, and Logpoint Collectors can be added or removed to implement the distribution of functionalities. The following diagram shows a full-fledged implementation with various components working together.
Distributed Logpoint¶
Contact your regional sales representative or customer support for specific organizational implementations. They will give you options for the best implementation based on your network layout, devices, and availability requirements.
To navigate between multiple Logpoints, you can use the DLP Selector in the top-right corner of the title bar.
Distributed Logpoint Selector¶
The DLP Selector is only visible on any page from Settings. The names of each Logpoint must be unique in a distributed setup. To rename a Logpoint, go to System Settings >> General.
Using the Search Head, you can access and administer the following within a distributed Logpoint:
Permission Groups
Normalization Policies & Normalization Packages
Routing Policies
Log Collection Policies
Parsers
Distributed Collector and Distributed Logpoint
Devices and Device Groups
Label Packages
Search Templates
Macros
System Monitor
System Settings
Logpoint License, Open Door, Integrations
View Search Views and Packages
View Alert Rules
View Lists and Tables
View and create Dashboards
View and create users and user groups
View and update data privacy settings
Export data through Logpoint Sync
UEBA