Solution Key Components
Key components like Log collection, Log Forwarding, Indexing, Visualization etc.
Log Analytics solution consists of key phases or components that operate on customer side as well as on the cloud, and it is essential to understand these key components to have a successful implementation of Log Analytics solution.
cfxLogAnalytics Key Components
Each of these key components are documented in separate sections, click on the links to follow instructions for that component.
Serves as a local log aggregator and forwarder within the customer environment. Consists of installing Logstash software on customer managed Linux server. A Typical LogAnalytics implementation begins with installation of Log Forwarding component and establishes connection with CFX cloud backend. In addition, all log collection agents (see next component) will forward logs to this component.
Collects logs and events from monitored devices using small software agents called as beats, that will be installed on monitored devices. In some cases beat installation is not required (for example: Netflow). All log collection agents forward logs to Log Forwarder (see previous component)
Logs & events are separated, automatically indexed into daily indexes for each customer. Every log type will have its own set of indexes (ex: Syslogs index sets will be different from Netflow). Dashboards operate on an index pattern and show analytics based on data persisted in all indexes of the pattern.
Logs can be further filtered to selectively send logs that are of interest for customers. Logs can be transformed or enriched with additional attributes or with computed data, using grok configuration
Custom dashboards can be built adding widgets to custom dashboard and adjusting the layout. Widgets allow data presentation in different formats. Dashboard configurations can also be exported/imported across compatible systems.
This is an optional add-on component for customers having high-level audit or regulatory compliance. This component allows short-term (up to 1-year) or long-term (up to 7-years) archival of raw, untampered and unaltered logs. Archival happens on a daily basis and archived logs can be accessed anytime on-demand for retrieval.