By default, the Sentinel server includes the following components:
Collector Manager: Collector Manager provides a flexible data collection point for Sentinel.
Correlation Engine: Correlation Engine processes events from the real-time event stream to determine whether they should trigger any of the correlation rules.
Elasticsearch: An optional data storage component to store and index data.By default, Sentinel includes an Elasticsearch node. If you expect large EPS, more than 2500, you must deploy additional Elasticsearch nodes in a cluster.
IMPORTANT:In production environments, you should set up a distributed deployment because it isolates data collection components on a separate computer, which is important for handling spikes and other anomalies with maximum system stability.
This section describes the advantages of distributed deployments.
Sentinel server includes a Collector Manager by default. However, for production environments, distributed Collector Managers provide much better isolation when large volumes of data is received. In this situation, a distributed Collector Manager may become overloaded but the Sentinel server will remain responsive to user requests.
Installing more than one Collector Manager in a distributed network provides the following advantages:
Improved system performance: Additional Collector Managers can parse and process event data in a distributed environment, which increases the system performance.
Additional data security and decreased network bandwidth requirements: If the Collector Managers are co-located with event sources, then filtering, encryption, and data compression can be performed at the source.
File caching: Additional Collector Managers can cache large amounts of data while the server is temporarily busy archiving events or processing a spike in events. This feature is an advantage for protocols such as syslog, which do not natively support event caching.
You can install additional Collector Managers at suitable locations in your network. These remote Collector Managers run Connectors and Collectors, and forward the collected data to the Sentinel server for storage and processing. For information about installing additional Collector Managers, see Section III, Installing Sentinel.
NOTE:You cannot install more than one Collector Manager on a single system. You can install additional Collector Managers on remote systems, and then connect them to the Sentinel server.
You can deploy multiple Correlation Engines, each on its own server, without the need to replicate configurations or add databases. In environments with large numbers of correlation rules or extremely high event rates, it is advantageous to install more than one Correlation Engine and redeploy some rules to the new Correlation Engine. Multiple Correlation Engines provide the ability to scale as the Sentinel system incorporates additional data sources, or as event rates increase. For information about installing additional Correlation Engines, see Section III, Installing Sentinel.
NOTE:You cannot install more than one Correlation Engine on a single system. You can install additional Correlation Engines on remote systems, and then connect them to the Sentinel server.