What is a Replicator

Overview

Many routers, servers, and other systems can only send messages to a single log management system. The Plixer Replicator allows a single stream of log data to be transparently replicated to multiple destinations.

By configuring the network devices to send their log and flow data to the Replicator, users can control which management system(s) receive the replicated data.

A Replicator eliminates the limitation of sending log and flow data to a small number of management systems.

The basic concepts

The Replicator relies on profiles that contain a list of devices (exporters) sending or streaming data to management systems (collectors). A packet is received by the Replicator on a particular UDP port. The Replicator references a list of profiles to determine if the data received from an exporter should be forwarded on to one or more collectors.

  • Collectors : A collector is a SIEM, Flow Collector, SNMPTrap Receiver, or other Network Management System that actively receives data from networked devices.
  • Exporters : An exporter is a networked device such as a router, switch, or server that generates different types of data and is capable of sending that data to a collector.
  • Profiles : A profile contains exporter(s), a listening port, collector(s), and sending UDP port.

How profiles work

+--------------------------------+-----------------------------------------+
| MyProfile                      | IN PORT 2002 -> OUT PORT 9996
+--------------------------------+-----------------------------------------+

Policies                   Exporters     ->    Collectors
(include) 10.3.1.1/32      10.3.1.1            10.11.1.165

When a packet is received from the exporter 10.3.1.1 on port 2002 it is replicated to the collector 10.11.1.165 on port 9996. Collectors interpret that packet’s origin as 10.3.1.1 and not the replicator.

Profiles can contain multiple exporters and collectors.

+--------------------------------+-----------------------------------------+
| distdev-63                     | IN PORT 2002 -> OUT PORT 2055
+--------------------------------+-----------------------------------------+

 Policies                   Exporters     ->    Collectors
 (include) 10.1.2.18/32     10.1.2.18           10.1.10.63
 (include) 10.4.1.1/32      10.4.1.1            10.1.4.203
 (include) 10.9.1.254/32    10.9.1.254          10.30.11.23
 (include) 192.168.0.17/32  192.168.0.17

If a packet is received from the exporters 10.1.2.18, 10.4.1.1, 10.9.1.254, or 192.168.0.7 on port 2002 it is replicated to 10.1.10.63, 10.1.4.203, and 10.30.11.23 on port 2055.

Policies

A policy is used to determine if a particular exporter should be included or excluded from the profile. Administrators add policies using CIDR notation to include or exclude exporters in a profile.

+--------------------------------+-----------------------------------------+
| steady-replays                 | IN PORT 2002 -> OUT PORT 9996
+--------------------------------+-----------------------------------------+

 Policies                  Exporters     ->    Collectors
 (include) 10.25.5.0/24    10.25.5.122         10.1.10.1
                           10.25.5.123
                           10.25.5.10
                           10.25.5.29
                           10.25.5.30

The replicator will automatically replicate packets from any exporter matching 10.25.5.x on port 2002 to collector 10.1.10.1 on port 9996.

Exclude policies can be used with include policies to exclude one or more exporters. In the example below any exporter matching 10.25.5.x except 10.25.5.10 will be replicated to the collector 10.1.10.1.

+--------------------------------+-----------------------------------------+
| steady-replays                 | IN PORT 2002 -> OUT PORT 9996
+--------------------------------+-----------------------------------------+

 Policies                     Exporters     ->    Collectors
 (include) 10.25.5.0/24       10.25.5.122         10.1.10.1
 (exclude) 10.25.5.10/32      10.25.5.123
                              10.25.5.29
                              10.25.5.30