The Log Collection Platform (LCP) is designed to collect, compress, and transmit your log data securely to Symantec MSS. The LCPs are installed on customer provisioned hardware and thereafter solely managed by Symantec MSS. This allows Symantec to correlate, store, and analyze the data collected from the customer’s devices. You will be required to work with your Symantec MSS Sales Engineer (SE) to device scope, calculate device LEPS, and provision hardware. The SE's have guidelines that include in‐depth instructions and methodologies for correctly scoping your LCP implementation.
Figure 1-1 : MSS Log Collection Platform
A technology device (or applications) or mix of devices detect and log activity on the network.
Event Collectors gather, filter, and aggregate the log data and forward both the raw and processed log data to the Event Agent for transmission to the LCP. In some configurations, an offbox collector and agent may be required.
The on‐premises LCP receives the log data; which is then compressed for transport and digitally signed as originating from the device in question. The compressed, signed data is sent to the SOC from customer devices secured by TLS 1.2 protocol using RSA‐2048‐bit encryption.
Log data is stored in a proprietary, read‐only system in a completely separated database table space residing in a protected environment within the database infrastructure.
The Device log files are run through the Symantec MSS STP (SOC Technology Platform) for multilayer post‐processing and presented to analysts for incident validation.
Self- service MSS Portal Dashboards and Reports are available for customer access.
Table 1-1 Hardware Requirements
Physical: 2xQuad‐core running at 1.7GHz or greater, x64 compatible
Virtual: 8 CPUs
Physical: 4XQuad-core running at 1.7GHz or greater, x64 compatible
Virtual: 16 CPUs
The hardware must be certified to run CentOS release 6.10.
Requires a static IP address and fully qualified domain name.
VM performance estimates closely match those of similarly configured physical hardware, with only marginal degradation.
VMTools installation is recommended.
VMWare CPU and RAM resource reservation is mandatory. Please refer vendor documentation for instructions on how to reserve CPU and RAM resources.
When creating the virtual machine, use the Typical setting, ensure that the disk type is Eager Zeroed Thick Provision and select LSI logic parallel as SCSI Controller.
Confirm that the Hardware on which the LCP is to be installed is supported by Cent OS 6.10.
Note: The above LCP Specifications are for estimation and guidance only. Detailed understanding of the environment and device log levels must be reviewed prior to provisioning the platform. Best practice in deploying log collection architecture requires an understanding of the amount of log data being generated in the environment (measured in Log Events Per Second or LEPS), in combination with the LCP log processing capacity.
When standing up an LCP server to connect to the MSS SOC, apply the following port settings.