Log Distribution Services (LDS) provides a mechanism for sending logs to external syslog receivers via TCP or UDP. There are two major components to LDS: The Log Distribution Receiver Manager and the Log Distribution Policy Manager. One or more LDS receivers can be defined to specify the external system to which logs are sent; one or more LDS policies can be defined to specify which logs to send.
The improvements made in v2 allow Log Distribution Services with metadata to keep up with the maximum Data Processor rate. Specifically, in v2:
- Total rate sent to LDS is higher
- Total rate sent to the receiver is higher
- Total rate acknowledged by the receiver (TCP only) is higher
- Average receiver latency is lower
- LDS reliability is improved
The following changes also apply to LDS v2:
- Unsent logs are not spooled out to disk in the Mediator directory, preventing the C: drive from filling up
- The log file for LDS v2 uses the log level of the Mediator
- LogRhythm 7.4.3 or later and Windows 2012 R2 or 2016
- The LDS must be installed on LogRhythm Windows component node Data Processors. The LDS is required even for single-node LogRhythm PM or XM multi-node deployments.
- The LDS application (client) must be installed on a Windows host with TCP or UDP ports 1468 or 514 open to connectivity with the PM or XM
- If running firewall software on the LogRhythm nodes hosting the LDS, a firewall rule must be enabled for the TCP/UDP incoming port (default is 514)
- Receiver latency should be no more than 10 milliseconds