Newbie: Distributed Logpoint


hello guys, good day

newbie here and I am taking overed from our previous employee. correct me if I’m wrong since it is still in final design

I need to deploy distributed LP in customer environment, we provide them 2 ESXi and this is our 1st customer migrated from Microfocus. The components are: (current)

  • search head x1
  • distributed logpoint x1
  • log collector x2 (collect log for on-prem x1, collect log for cloud but sitting on prem)

for windows, planning to use LPA and the rest syslog

Issue 1:

I do some testing and I realized all the API or Cloud Trail configuration directly into DLP. Reason I am thinking, we do not need the LC on this case and the pros is we have the opportunity to turn on SOAR features also increase the specification/storage for DLP.

Do I need to turn on this DLP as collector also?

Issue 2:

license: 325 nodes (300 servers/security/network and 5 API: sophos, office365 and 1: AWS cloud trail)

I believed 325 nodes will be installed inside the DLP and but not sure about SH and LC, I think I need to purchase another 3 licenses for the rest so new licenses are 328 nodes. Any advise?

Issue: 3

based on my study/reading info, the LC is a collector also function as normalizer log.
in my case, when the LC act a normalizer? because:

  1. after turn on collector, there is no dashboard etc
  2. eg: LPA, the configuration for normalizer at the DLP not inside the LC

Thanks for your response.



Share This Post:

Please sign in to leave a comment.