• 28 Feb 2022
  • 1 Minute to read
  • Contributors
  • Dark
  • PDF


  • Dark
  • PDF

‌PICO is a small component used to collect, queue, filter and forward log events. It acts as a collector for all your event logs from multiple servers and desktops and other sources. PICO is a lightweight, standalone Docker container used to collect, store, process, and filter system log events and forward the logs to single or multiple configured destinations or servers. It has the capability to collect, filter and then forward to the central deployment, it can queue up events in case there is a link failure and then flush events when the link comes up.



The PICO Architecture explained

  • Multiple connectors are deployed on PICO out of the box to receive data.
  • Data received on PICO is filtered on the basis of Source IP Address and event strings.
  • Filter Engine is the component that carries out the filtering of incoming data, you can spawn multiple Filter Engine Processes for faster filtering.
  • It filters the Source IP address depending upon the policy set for filtering.
  • It filters the events based on the configurations set for event strings.
  • Once the filtering process is completed it fans out the logs to all forwarders.
  • Log forwarding: The forwarding of logs could be done either via Native Forwarders or Raw Forwarders
    • Native Forwarders forward logs to primary or failover Adapter
    • Raw Forwarders forward the logs in raw format to syslog servers.
  • For Native Forwarders, the Adapter will have a PICO Connector on a configurable port (the default port number is 7426) to send the logs in desired format to the ingestion queue of Adapter.


  • Ensure all the conditions mentioned in Before your Begin are met before proceeding with Installation.

It is mandatory for PICO to have a VPN connectivity to Core private interface i.e. the CORE_IP mentioned while bringing up the component.


The installation and setup of the Pico is handled by the script which is to be run by using below command:

bash -c "$(curl -s https://raw.githubusercontent.com/dnif/installer/main/picoinstaller.sh)"

The inputs required are:

  • CORE_IP: Specify the IP Address of the Core to bind to a cluster
  • PROXY: This is an optional input if a proxy setup is present in your environment.

Was this article helpful?