Log Forwarder Punchline¶
Refer to the central log management overview.
click on this link to go to Central Log Management platform monitoring events overview
Key Design highlights¶
For compatibility purpose with 'beats' inputs (metribeat at least) the message in the platform-events kafka topic is JSON, not lumberjack.
Please refer to reference punchline example for appropriate configuration of the lumberjack input node.
Transport / interface / HA¶
The forwarding of platform events is done using lumberjack protocol, as we would for other cybersecurity logs or events that we do not want to lose. This is important because among the events are the operator actions that must not be lost for 2 reasons: - because the are part of the audit trail of the operator actions (which is a security event) - because they are used to trigger the channels monitoring service on central site (i.e. an application is monitored only if the last known operator action for this application is a 'start')
With this acknowledged protocol, if there is a failure to handle the data on the remote central site, then the data will be replayed later for forwarding.
The lumberjack ouput note is able to target multiple target servers on the central site, improving overall load balancing and high availability of the forwarding mechanism.