FAQ-LogCenter deployment scenario

LogCenter Deployment Scenario


The LogCenter can be deployed in centralized mode or distributed mode based on the log source quantity and distribution to satisfy log analysis requirements of the live network.

Centralized Deployment

When log sources on the network are relative centralized, and the requirement for log processing performance of the LogCenter is relative low, you can select the centralized deployment mode.

In centralized deployment mode, the LogCenter analyzer and collector are installed on the same physical server. This deployment mode is applicable to a network with low networking costs. You can select the centralized deployment mode when the live network meets the following conditions:

l   The number of log sources is less than 100.

l   The log sources are distributed in a relative centralized manner, for example, in the same LAN.

l   The total log amount on the network is within the log processing capability of a collector.

The centralized deployment mode can satisfy log analysis requirements with the minimum resource consumption.

Figure 1-1 Centralized deployment networking of the LogCenter

<?xml:namespace prefix = "v" ns = "urn:schemas-microsoft-com:vml" />


 
Distributed Deployment

When log sources on the network are relative separated, or the requirement for log processing performance of the LogCenter is relative high, you can select the distributed deployment mode.

In distribution deployment mode, the LogCenter analyzer and collector are installed on different physical servers. You can select the distributed deployment mode when the live network meets the following conditions:

l   The number of log sources is larger than 100.

l   The log sources are separated, for example, in multiple subnets.

l   The total log amount on the network is beyond the log processing capability of a collector.

The distributed deployment mode is applicable to a changing network by means of flexible networking modes.

For example, when a company has multiple departments and subnets, multiple collectors can be deployed to collect logs from distributed firewalls. By collecting all logs to one analyzer, the network administrator can comprehensively learn the conditions of the entire network.

On the backbone network of a carrier, the network traffic on key nodes is huge. If multiple collectors are deployed to cooperate with the firewall in terms of load balancing and link keepalive detection, the administrator can easily record, save, and query massive logs on the backbone network.

Figure 1-2 Distributed deployment networking of the LogCenter




 
Front End Processor Scenarios

With the LogCenter log receiving and analysis functions, in certain special scenarios, the LogCenter can uniformly convert log formats.

Generally, log processing systems of carriers can analyze and store logs in a specific or several specific formats. However, devices on the live network are from various vendors. Generally, diversified log formats exist. Therefore, a set of system is required to uniformly convert logs of various network devices to a format that is easy to identify and store.

Because log sources to be converted vary with carriers, most of front end processor scenarios are customized based on actual site requirements. The customized configurations are different from common log receiving and parsing configurations. Therefore, the front end processor configurations are not described here. For details about the front end process operations, see the corresponding configuration guides.