A distributed setup usually means the segregation of indexing and search process. So, the process of data indexing and searching is performed in separate machines. However, you can still obtain data from other LogPoints using a search head that searches throughout the indexes of the LogPoints.
In a distributed environment, you can connect multiple LogPoints operating in different modes and store the logs among all of them using the Distributed LogPoints (DLP) functionality. With this, you can also monitor, configure, and analyze the logs on the connected devices.
The following scenario demonstrates the Distributed LogPoint workflow:
You are operating two separate LogPoints, say, LP1 and LP2, with varying privileges, but operating the same version of LogPoint. You can now add LP2 as a Distributed LogPoint of LP1 if a user in LP1 has sufficient privilege to access the logs on LP2. This can all be done from the LP1 machine itself. So, user(s) in LP1 can search and create dashboards, alerts, and reports, using the logs from any of the repos in either of the machines.
In this case, users in LP2 cannot view the logs in LP1 unless LP1 is explicitly added as a Distributed LogPoint of LP2.
Also, you can perform the above-mentioned actions from the machine having the privilege to access another machine via the DLP Selector that appears on the top-right corner in the Divider Bar.
Distributed LogPoint Selector¶
Note
The DLP Selector is only visible in the Settings page but not in the Dashboard, Report, Search, and Incident pages.
LP1 and LP2 machines with log sources on both and users on only one¶
The above figure demonstrates a scenario where LP1 and LP2 are two separate machines with individual log sources, but with only one operating user.
Note
You can add two or more LogPoints as Distributed LogPoints of each other. In this case, the logs are accessible in both ways.
The names of each LogPoint node must be unique for a distributed deployment.
You can add any number of LogPoints as Distributed LogPoints to a LogPoint machine.
Four DLPs with a single search head¶
For instance, as shown in the above figure, if there are four LogPoints LP1, LP2, LP3, and LP4, you can add LP2, LP3, and LP4 as Distributed LogPoints of LP1. In this case, the logs from LP2, LP3, and LP4 are accessible at LP1.
The Distributed LogPoint guide helps you to understand and perform the following tasks:
Enable connections between your LogPoint and remote LogPoints. Refer to Enabling Open Door.
Add remote LogPoint in the Distributed setup. Refer to Adding Remote LogPoints.
Add Syslog Forwarder in the Distributed setup. Refer to Adding a Syslog Forwarder.
Configure LogPoint as a Distributed Collector. Refer to Configuring Distributed Collectors.
Add targets to forward the Raw Syslog messages. Refer to Adding a Target.
Add devices to collect the Raw Syslog messages. Refer to Adding Devices.
Configure remote targets to view the logs. Refer to Viewing Logs in Remote Target.
Update the information about the Distributed LogPoints. Refer to Editing a Distributed LogPoint.
Import/Export data of the Syslog Forwarder. Refer to Downloading the Data.
Manage the settings before using the distributed collectors. Refer to Using Distributed Collectors.
Update the information on the Remote Target panel. Refer to Editing a Target
Update the device information. Refer to Editing Devices
Feature accessibility in the Distributed LogPoint setup. Refer to DLP Accessibility.
Delete the Distributed LogPoints. Refer to Deleting a Distributed LogPoint.
Delete the targets. Refer to Deleting a Target.
Delete the devices that collect the Raw Syslog messages. Refer to Deleting Devices.