20.1 Overview

The Data Federation feature facilitates searching events, viewing alerts, and reporting event data from local and remote Sentinel servers. When you are working with multiple servers, you can perform a search or run a report on just one server and have it automatically run a search or report across the selected remote servers. The server on which the search is initiated is referred to as the authorized requestor, and the remote servers are referred to as the data sources or data source servers.

When you run a search or report on the authorized requestor, search queries are sent to each selected data source server. The data source server authenticates the authorized requestor server, using a password that is exchanged during configuration. Event or alert data is returned to the authorized requestor, where it is merged, sorted, and rolled up for presentation. Individual search results display the data source servers from which they were received. The search status for each server is available for viewing and troubleshooting.

Figure 20-1 shows how you can set up the Sentinel servers across the globe for data federation, which enables distributed search and reporting.

Figure 20-1 Data Federation