6.7 Three-Tier Deployment with Scalable Storage

Data Collection Tier: For collecting events from a wide range of event sources.

Scalable Storage Tier: For storing and indexing large data. The SSDM server in this tier enables you to manage data collection and event routing, search and visualize events, and perform certain administrative activities. For other Sentinel capabilities such as real-time analytics and reporting, you can set up a separate Analytics tier. You can configure event routing rules to forward specific events required for analysis to the Analytics Tier by using Sentinel Link as shown in the diagram. You can also forward the collected data to any other SIEM systems or enable other business intelligence tools to query the data or perform analytics directly on your Hadoop distribution.

Analytics Tier: To perform real-time analytics on large data, you must set up the Analytics Tier and configure event routing rules to forward the desired events from scalable storage tier. Also, you can use the same Analytics Tier to collect and store network flow data and events from other NetIQ products such as Secure Configuration Manager and Change Guardian. You can deploy one or more Sentinel servers for analytics purpose as shown in the diagram.

Search Tier: This is an optional tier. You can perform searching and reporting using any of the Sentinel servers in the Analytics Tier as well. However, having a separate search tier provides a convenient single access point for searching and reporting across all Sentinel servers in the Analytics Tier by using Sentinel Data Federation. For searching events in the scalable storage, use the search option in Sentinel Scalable Data Manager.