The Adapter is responsible for the data ingestion process.
The Adapter is the connection between the data sources and DNIF. Furthermore, it -
- Collects events over different channels like syslog, http(s), netflow etc.
- Parses these events using relevant parsers.
- Annotates events in order to better identify events from different devices.
- Enriches these events to add relevant context, geo-data, and threat intelligence.
Listed are the technical features and capabilities of the Adapter (AD):
|High Availability (HA)||The AD can be setup in an active/ passive configuration where if the primary AD fails, the secondary AD is available on standby and will take over the workload. This configuration uses keepalived to create a virtual IP which is mapped in each integrated device (the IP that is used to receive the events). In a best case operation, the primary AD will be mapped in with the virtual IP. However when the primary AD fails, the secondary AD which is on standby with the same configurations will be mapped to the virtual IP address.|
|Load Balancing||If the input feed is larger than the max capacity of a specific AD, there will be a need to load balance multiple ADs to share the workload. This load balancing could be done using a commercially available product or using NGNIX that is open source, to setup this configuration. Load Balancing will also provide resiliency or high availability features.|