DYNAMIC CONFIGURATION OF REMOTE CAPTURE AGENTS FOR NETWORK DATA CAPTURE
First Claim
1. A computer-implemented method for facilitating the processing of network data, comprising:
- obtaining, at a remote capture agent, configuration information for the remote capture agent from a configuration server over a network;
using the configuration information to configure the generation of event data from network packets at the remote capture agent;
upon receiving an update to the configuration information from the configuration server, using the update to reconfigure the generation of the event data by the remote capture agent during runtime of the remote capture agent;
during runtime of the remote capture agent, generating the event data from network packets received at the remote capture agent;
storing the event data in a data store; and
while subsequently processing a query,employing a retrieval schema, which includes an extraction rule that indicates how to extract one or more values from an event, to extract values from events in the event data obtained from the data store, andidentifying responsive events based on the extracted values.
1 Assignment
0 Petitions
Accused Products
Abstract
The disclosed embodiments provide a method and system for facilitating the processing of network data. During operation, the system obtains, at a remote capture agent, configuration information for the remote capture agent from a configuration server over a network. Next, the system uses the configuration information to configure the generation of event data from network packets at the remote capture agent. Upon receiving an update to the configuration information from the configuration server, the system uses the update to reconfigure the generation of the event data by the remote capture agent during runtime of the remote capture agent.
39 Citations
26 Claims
-
1. A computer-implemented method for facilitating the processing of network data, comprising:
-
obtaining, at a remote capture agent, configuration information for the remote capture agent from a configuration server over a network; using the configuration information to configure the generation of event data from network packets at the remote capture agent; upon receiving an update to the configuration information from the configuration server, using the update to reconfigure the generation of the event data by the remote capture agent during runtime of the remote capture agent; during runtime of the remote capture agent, generating the event data from network packets received at the remote capture agent; storing the event data in a data store; and while subsequently processing a query, employing a retrieval schema, which includes an extraction rule that indicates how to extract one or more values from an event, to extract values from events in the event data obtained from the data store, and identifying responsive events based on the extracted values. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 23)
-
-
10. A computer-implemented method for facilitating network data capture, comprising:
-
obtaining, at a configuration server, configuration information for a set of remote capture agents on a set of networks; and using the configuration server to provide the configuration information over the set of networks to the remote capture agents, wherein the configuration information is used by the remote capture agents to configure the generation of event data from network packets captured by the remote capture agents during runtime of the remote capture agent, generating the event data from network packets received at the remote capture agent; storing the event data in a data store; and while subsequently processing a query, employing a retrieval schema, which includes an extraction rule that indicates how to extract one or more values from an event, to extract values from events in the event data obtained from the data store, and identifying responsive events based on the extracted values. - View Dependent Claims (11, 12, 13, 24)
-
-
14. A system for facilitating network data capture, comprising:
-
a remote-processing node comprising a computer system with a network connection; a remote capture agent that executes on the remote-processing node, comprising; a capture component configured to capture network packets from a network; an events generator configured to generate event data from the network packets; a configuration component configured to; obtain configuration information from a configuration server over a network, and use the configuration information to configure the generation of event data at the events generator, and upon receiving an update to the configuration information, using the update to reconfigure the generation of the event data by the events generator during runtime of the remote capture agent; and a data-store node comprising a computer system with a network connection; a data store that executes on the data-store node and is configured to store the event data generated by the events generator; and an indexer that processes a query by, employing a retrieval schema, which includes an extraction rule that indicates how to extract one or more values from an event, to extract values from events in the event data obtained from the data store, and identifying responsive events based on the extracted values. - View Dependent Claims (15, 16, 17, 18)
-
-
19. A non-transitory computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform a method for processing network data, the method comprising:
-
obtaining, at a remote capture agent, configuration information for the remote capture agent from a configuration server over a network; using the configuration information to configure the generation of event data from network packets at the remote capture agent; and upon receiving an update to the configuration information from the configuration server, using the update to reconfigure the generation of the event data by the remote capture agent during runtime of the remote capture agent; during runtime of the remote capture agent, generating the event data from network packets received at the remote capture agent; storing the event data in a data store; and while subsequently processing a query, employing a late-binding schema, which includes an extraction rule that indicates how to extract one or more values from an event, to extract values from events in the event data obtained from the data store, and identifying responsive events based on the extracted values. - View Dependent Claims (20, 21, 22, 26)
-
-
25. The system of claim 140, wherein the retrieval schema is a late-binding retrieval schema that is applied during query execution.
Specification