6.3 One-Tier Distributed Deployment

The one-tier deployment adds the ability to monitor Windows machines as well as handle a larger load than the all-in-one deployment. Data collection and correlation can be scaled out by adding Collector Manager, NetFlow Collector Manager, and Correlation Engine machines that off load processing from the central Sentinel server. In addition to handling the load of events, correlation rules and network flow data, remote Collector Managers, Correlation Engines, and NetFlow Collector Managers also free up resources on the central Sentinel server to service other requests such as event storage and searches. As the load gets higher on the system, the central Sentinel server will eventually become a bottleneck and you need a deployment with more tiers to scale out further.

Optionally, you can configure Sentinel to copy event data to a data warehouse, which can be useful to offload custom reporting, analytics, and other processing to another system.

Figure 6-2 One-Tier Distributed Deployment