6.7 Three-Tier Deployment with Scalable Storage

For large data storage and data processing needs where you do not want to distribute events across multiple Sentinel servers and duplicate configuration settings across multiple instances, you can set up a three-tier distributed deployment with scalable storage. This deployment enables you to store and manage large data by using a single Sentinel server with scalable storage versus using multiple Sentinel servers.

You can set up a new Sentinel server with scalable storage or upgrade your existing Sentinel server to enable scalable storage.

Depending on the Sentinel capabilities you want to use, you can determine how you want to set up your Sentinel deployment.

Figure 6-6 Three-Tier Deployment for Scalable Storage

This deployment includes the following tiers:

  • Data Collection Tier: For collecting events from a wide range of event sources. Optionally, if you want to retain your existing data collection setup with traditional storage Sentinel and still leverage the scalable storage capabilities, you can forward the desired events directly from traditional storage to scalable storage by using the data_uploader.sh script. For more information, see Section 32.0, Migrating Data to Scalable Storage.

  • Scalable Storage Tier: For storing, indexing, and analyzing large data. The SSDM server in this tier enables you to manage data collection and correlation, and provides other SSDM capabilities. To use Sentinel capabilities not available in SSDM, you can set up the Traditional Storage tier. You can also forward the collected data to any other SIEM systems or enable other business intelligence tools to query the data or perform analytics directly on your Hadoop distribution using the widely supported Hadoop, Kafka, Spark, and Elasticsearch APIs.

  • Traditional Storage Tier: For Sentinel capabilities such as Security Intelligence, conventional searching, and reporting, you must install separate instances of Sentinel with traditional storage. You can configure event routing rules to forward the desired events from SSDM to Sentinel by using Sentinel Link.

    You can perform searching and reporting using any of the Sentinel servers in the Traditional Storage Tier. Optionally, you can set up a separate Search Tier that provides a convenient single access point for searching and reporting across all Sentinel servers in the Traditional Storage Tier. For searching events in the scalable storage, use the search option in SSDM.

For more information about installing and setting up scalable storage, see Section 13.0, Installing and Setting Up Scalable Storage.