Skip to content

Log Forwarder Punchline

Refer to the central log management overview.

Reference central site platform monitoring events management (image)

Key Design highlights

Json encoding


For compatibility purpose with 'beats' inputs (metribeat at least) the message in the platform-events kafka topic is JSON, not lumberjack.

Please refer to reference punchline example for appropriate configuration of the lumberjack input node.

Transport / interface / HA

The forwarding of platform events is done using lumberjack protocol, as we would for other cybersecurity logs or events that we do not want to lose. This is important because among the events are the operator actions that must not be lost for 2 reasons: - because the are part of the audit trail of the operator actions (which is a security event) - because they are used to trigger the channels monitoring service on central site (i.e. an application is monitored only if the last known operator action for this application is a 'start')

With this acknowledged protocol, if there is a failure to handle the data on the remote central site, then the data will be replayed later for forwarding.

The lumberjack ouput note is able to target multiple target servers on the central site, improving overall load balancing and high availability of the forwarding mechanism.

Reference configuration example

Collector site monitoring events forwarding punchline example