The Data Processor has three primary interface points with the LogRhythm SIEM:
- The Data Processor (Mediator) sends logs to the Data Indexer.
- The Data Indexer reads information from the EMDB.
- The Client Console and Web Console issue queries about logs to the Data Indexer.
The Data Processor's Mediator Server service handles communications with LogRhythm Agents, such as authenticating Agent connections, receiving log data, and informing System Monitors to shut down or failover when required. The Mediator is also responsible for processing logs against the Knowledge Base and sending processed log messages to the Data Indexer.
The Data Processor contains a log processing engine known as the Message Processing Engine (MPE). The MPE processes logs against rules (MPE rules) to identify logs, parse information from the logs, and forward certain logs as events to the Platform Manager.
In medium-to-large deployments, Data Processors should be dedicated systems. In small deployments, the Data Processor can coexist on the same system as the Platform Manager.
LogRhythm provides support for Agent failover across several Data Processors (up to three is the most common configuration). Three prioritized Processors configured into the Agent as mediator1, mediator2, and mediator3 (ordered list). Collection performance is maintained across Mediator failover, and this capability can also be used to support Agent load balancing.
One of three scenarios can cause an Agent to failover to a different Processor:
- The Processor currently serving the Agent is already servicing its maximum agent count.
- The Processor is unavailable due to inability to establish connection or a lost connection (for example, a network issue).
- The Processor issues a suspense condition.
The Failback Delay can be configured in the System Monitor Agent Advanced Properties dialog box.
All Agents support a configurable timer for failback and can be configured on a per Agent basis.
Upon expiration, the Agent waits for a randomized delay period (1-30 seconds) prior to attempting to connect.
Load balanced virtual log sources let you specify the log sources that are being sent to a load balancer and the System Monitor Agents to which the load balancer is sending log messages. These options enable deployments with larger volumes to utilize load balanced log sources without data loss. Even though Agents don’t send data to more than one Data Processor at a time, the Agents used with load balanced log sources must be configured to communicate with all Mediators that are used for load balancing for that set of agents.
For more information on how to configure the Agents correctly, see the Data Processor Settings Tab information in Modify System Monitor Basic Properties.
Load Balance Delay
All Agents support a configurable timer for load balancing and can be configured on a per Agent basis. When an Agent has connected to a Processor after being in a failure condition due to the Processor reaching the maximum Agent connections, the Agent attempts load balancing after a configurable time period.
|Maximum||10080 minutes (7 days)|
|Default||4320 minutes (3 days)|
Upon expiration of this timer, the Agent waits for a randomized delay period (1-30 minutes) prior to attempting to reconnect. This is to prevent a surge of Agents reconnecting.
After waiting for the randomized delay period, the Agent attempts to connect to the primary Data Processor. If it does not succeed because of maximum Agent connections, it attempts the secondary and then the tertiary.
The Mediator Server writes the following log files to the logs directory in the Mediator Server installation directory:
|scmedsvr.log||Errors, warnings, and data pertaining to agent connections, and network operations|
|scmpe.log||Errors, warnings, and data pertaining to the MPE component of the server|
|archive.log||Data concerning the archiving processing performed by the Mediator Server|
|evtmsgprocessor.log||Data concerning the Insert Manager EM|
|logmsgprocessor.log||Data concerning the Insert Manager LM|
The Mediator Server maintains files for keeping track of processed and unprocessed logs, events when the server shuts down with logs, and events in memory. These files are stored in a directory structure in the state sub-directory of the Mediator Server. When the server is restarted, the logs and events are read in from the files and processed. To ensure the reliable processing of collected log data, do not move, alter or manipulate the files in the state directory in any way.
Missing Heartbeat Detection
The Data Processors actively monitor themselves and Agents for a heartbeat signal at regular intervals. After receiving the signal, the database is updated with a timestamp of the last successful signal from that component. The ARM service regularly checks the amount of time that passed since the last successful heartbeat from each component and compares it with the component's unique Heartbeat Warning Interval setting, set in the Properties dialog box. If the expected reporting time is greater than the Heartbeat Warning Interval, a Missing Heartbeat Warning event is generated. The warnings continue to be generated each time an additional Heartbeat Warning Interval passes without a signal.
After a heartbeat is received from the component, a Heartbeat Returned event is generated and the system again waits for a missing heartbeat condition.
Set a reasonable Heartbeat Warning Interval. Take special notice of systems that reside on non-persistent connections or are removable from the network, such as notebook computers.
You can see the Heartbeat status in the grid on the top of the Data Processors tab and in the grid on the bottom of the System Monitors tab.
- If a Heartbeat is not received for one full Heartbeat Warning Interval, the Last Heartbeat field is yellow.
- If a Heartbeat is not received for two full Heartbeat Warning Intervals, the Last Heartbeat field is red.
Last Data Processor
The Last Data Processor column in the grid on the bottom of the System Monitors tab contains the name of the last Data Processor the Agent was connected to.