By default, the Sentinel server includes the following components:
Collector Manager: Collector Manager provides a flexible data collection point for Sentinel. The Sentinel installer installs a Collector Manager by default during installation.
Correlation Engine: Correlation Engine processes events from the real-time event stream to determine whether they should trigger any of the correlation rules.
NetFlow Collector Manager: The NetFlow Collector Manager collects network flow data (NetFlow, IPFIX, and so on) from network devices such as routers, switches, and firewalls. Network flow data describes basic information about all network connections between hosts including packets and bytes transmitted, which helps you visualize the behavior of individual hosts or the entire network.
For production environments, NetIQ Corporation recommends distributed deployments because it isolates data collection components on separate machines.
This section describes the advantages of distributed deployments.
Sentinel server includes a Collector Manager by default. However, for production environments, distributed Collector Managers provide much better isolation when large volumes of data is received. In this situation, a distributed Collector Manager may become overloaded but the Sentinel server will remain responsive to user requests.
Installing more than one Collector Manager in a distributed network provides several advantages:
Improved system performance: Additional Collector Managers can parse and process event data in a distributed environment, which increases the system performance.
Additional data security and decreased network bandwidth requirements: If the Collector Managers are co-located with event sources, then filtering, encryption, and data compression can be performed at the source.
File caching: Additional Collector Managers can cache large amounts of data while the server is temporarily busy archiving events or processing a spike in events. This feature is an advantage for protocols such as syslog, which do not natively support event caching.
You can install additional Collector Managers at suitable locations in your network. These remote Collector Managers run Connectors and Collectors, and forward the collected data to the Sentinel server for storage and processing. For information about installing additional Collector Managers, see Section 12.5, Installing Collector Managers and Correlation Engines.
NOTE:You cannot install more than one Collector Manager on a single system. You can install additional Collector Managers on remote systems, and then connect them to the Sentinel server.
You can deploy multiple Correlation Engines, each on its own server, without the need to replicate configurations or add databases. For environments with large numbers of Correlation rules or extremely high event rates, it can be advantageous to install more than one Correlation engine and redeploy some rules to the new Correlation engine. Multiple Correlation engines provide the ability to scale as the Sentinel system incorporates additional data sources or as event rates increase. For information on installing additional Correlation Engines, see Section 12.5, Installing Collector Managers and Correlation Engines.
NOTE:You cannot install more than one Correlation Engine on a single system. You can install additional Correlation Engines on remote systems, and then connect them to the Sentinel server.
NetFlow Collector Manager collects network flow data from network devices. However, you can install additional NetFlow Collector Managers rather than using the NetFlow Collector Manager on the Sentinel server to free up system resources to other important functions such as event storage and searches.
You can install additional NetFlow Collector Managers in the following scenarios:
In environments with many network devices and high rates of network flow data, you can install multiple NetFlow Collector Managers to distribute the load.
If you are in a multi-tenant environment, you should install individual NetFlow Collector Manager for each tenant to collect separate network flow data per tenant.
For more information about installing additional NetFlow Collector Managers, see Section 14.0, NetFlow Collector Manager Installation.