cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

MCAS log ingestion deployment modes( Log collector vs MDE)

maheshcapj
Copper Contributor

‎Sep 15 2021 03:33 AM

‎Sep 15 2021 03:33 AM

MCAS log ingestion deployment modes( Log collector vs MDE)

Hello techies,

 

Hope you all doing well and keeping safe during this unprecedented timings!!

 

I have couple of queries regarding log deployment modes. Please help me understand.

 

As part of transition we have been requested to support for one of our clients. In the current ecosystem log ingestion is being happened through native MDE integration and via log collectors( Docker image on Linux in Azure)

 

1. When we are able to discover the data from MDE, why should we have log collector deployment inplace? I believe with the help of log collectors only, we can able to replicate the cloud discovery resource details( statistics for platform security i.e storage account transactions ) please correct me if i am wrong.

 

2. If we ingest the data from both mde and through log collector servers will it be treated as redundant logs from MCAS side? how will it be processed the data?

 

3. Log collectors are showing offline since Sep4th 2021. But last parsed log is showing as sep 14th? So there is 10 days of delay in processing the data from log collectors to MCAS? Why it is taking 10 days time period because, we would be in a blind spot from security standpoint?

 

Can somebody please help me understand the above queries?

 

Looking forward to hearing for these queries please?

 

Thank you,

Mahesh.

 

 

 

915 Views
0 Likes
1 Reply
Reply
1 Reply
JaredPoeppelman

‎Dec 03 2021 09:59 AM

‎Dec 03 2021 09:59 AM

Re: MCAS log ingestion deployment modes( Log collector vs MDE)

1. MDE is superior in ease of deployment and pretty much every other way but is not available for every network device, like IoT devices for one example. Log collectors can receive syslog data from virtually any network firewall or web proxy device, so that can cover any host.

2. When using both (MDE and log collectors), you may also get duplicate data for MDE clients going through a network device that is also sending logs to the collector. The only current solution for de-duplication is to simply view the individual reports, instead of the all-up report containing both datasets.

3. I cannot answer your specific questions, but if you are unable to get your log collectors working following our guidance, please contact support.
0 Likes
Reply