hello guys, good day
newbie here and I am taking overed from our previous employee. correct me if I’m wrong since it is still in final design
I need to deploy distributed LP in customer environment, we provide them 2 ESXi and this is our 1st customer migrated from Microfocus. The components are: (current)
- search head x1
- distributed logpoint x1
- log collector x2 (collect log for on-prem x1, collect log for cloud but sitting on prem)
for windows, planning to use LPA and the rest syslog
Issue 1:
I do some testing and I realized all the API or Cloud Trail configuration directly into DLP. Reason I am thinking, we do not need the LC on this case and the pros is we have the opportunity to turn on SOAR features also increase the specification/storage for DLP.
Do I need to turn on this DLP as collector also?
Issue 2:
license: 325 nodes (300 servers/security/network and 5 API: sophos, office365 and 1: AWS cloud trail)
I believed 325 nodes will be installed inside the DLP and but not sure about SH and LC, I think I need to purchase another 3 licenses for the rest so new licenses are 328 nodes. Any advise?
Issue: 3
based on my study/reading info, the LC is a collector also function as normalizer log.
in my case, when the LC act a normalizer? because:
- after turn on collector, there is no dashboard etc
- eg: LPA, the configuration for normalizer at the DLP not inside the LC
Thanks for your response.
Regards,
Mohamed