6.4 One-Tier Distributed Deployment

The one-tier deployment adds the ability to monitor Windows computers and to handle a larger load than the all-in-one deployment. You can scale out data collection and correlation by adding Collector Manager and Correlation Engine computers that offload processing from the central Sentinel server. In addition to handling the load of events and correlation rules, remote Collector Managers and Correlation Engines also free up resources on the central Sentinel server to service other requests such as event storage and searches. As the load gets higher on the system, the central Sentinel server will eventually become a bottleneck and you need a deployment with more tiers to scale out further.

Optionally, you can configure Sentinel to copy event data to a data warehouse, which can be useful to offload custom reporting, analytics, and other processing to another system.

Figure 6-3 One-Tier Distributed Deployment