Dynamic configuration of remote capture agents for network data capture
First Claim
1. A computer-implemented method performed by a remote capture agent coupled to a network, the method comprising:
- obtaining configuration information from a configuration server over the network, the configuration information specifying a plurality of event streams to be generated by the remote capture agent and further specifying a respective event type associated with each event stream of the plurality of event streams;
monitoring network traffic comprising a plurality of network packets;
generating, based on the configuration information, a plurality of events from the network traffic, wherein generating an event of the plurality of events comprises;
extracting network packet data from at least one network packet of the plurality of network packets and associating the extracted network packet data with the event;
applying a filtering rule to the extracted network packet data to determine an event type associated with the event;
adding, based on the determined event type, the event to at least one event stream of the plurality of event streams;
for each event stream of the plurality of event streams;
selecting, based on the event type for the event stream specified in the configuration information, a component of a plurality of components on the network to which to send the event stream; and
sending the event stream to the selected component on the network for subsequent processing.
1 Assignment
0 Petitions
Accused Products
Abstract
The disclosed embodiments provide a method and system for facilitating the processing of network data. During operation, the system obtains, at a remote capture agent, configuration information for the remote capture agent from a configuration server over a network. Next, the system uses the configuration information to configure the generation of event data from network packets at the remote capture agent. Upon receiving an update to the configuration information from the configuration server, the system uses the update to reconfigure the generation of the event data by the remote capture agent during runtime of the remote capture agent.
297 Citations
31 Claims
-
1. A computer-implemented method performed by a remote capture agent coupled to a network, the method comprising:
-
obtaining configuration information from a configuration server over the network, the configuration information specifying a plurality of event streams to be generated by the remote capture agent and further specifying a respective event type associated with each event stream of the plurality of event streams; monitoring network traffic comprising a plurality of network packets; generating, based on the configuration information, a plurality of events from the network traffic, wherein generating an event of the plurality of events comprises; extracting network packet data from at least one network packet of the plurality of network packets and associating the extracted network packet data with the event; applying a filtering rule to the extracted network packet data to determine an event type associated with the event; adding, based on the determined event type, the event to at least one event stream of the plurality of event streams; for each event stream of the plurality of event streams; selecting, based on the event type for the event stream specified in the configuration information, a component of a plurality of components on the network to which to send the event stream; and sending the event stream to the selected component on the network for subsequent processing. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A computer-implemented method performed by a configuration server coupled to a network, the method comprising:
-
obtaining configuration information for a set of remote capture agents on a set of networks, the configuration information specifying a plurality of event streams to be generated by each remote capture agent of the set of remote capture agents and further specifying a respective event type associated with each event stream of the plurality of event streams; sending the configuration information to at least one remote capture agent of the set of remote capture agents, the configuration information causing the at least one remote capture agent of the set of remote capture agents to generate a plurality of events from network traffic, wherein generating an event of the plurality of events comprises; extracting network packet data from at least one network packet and associating the extracted network packet data with the event; applying a filtering rule to the extracted network packet data to determine an event type associated with the event; and adding, based on the determined event type, the event to at least one event stream of the plurality of event streams; wherein the configuration information further causes the at least one remote capture agent of the set of remote capture agents to, for each event stream of the plurality of event streams; select, based on the event type for the event stream specified in the configuration information, a component of a plurality of components on the network to which to send the event stream; and send the event stream to the selected component on the network for subsequent processing. - View Dependent Claims (13, 14, 15, 16, 17, 18)
-
-
19. A remote capture agent coupled to a network, the remote capture agent comprising:
-
a processor; a non-transitory computer readable storage medium storing instructions which, when executed by the processor, cause the remote capture agent to; obtain configuration information from a configuration server over a network, the configuration information specifying a plurality of event streams to be generated by the remote capture agent and further specifying a respective event type associated with each event stream of the plurality of event streams; monitor network traffic comprising a plurality of network packets; generate, based on the configuration information, a plurality of events from the network traffic, wherein generating an event of the plurality of events comprises; extracting network packet data from at least one network packet of the plurality of network packets and associating the extracted network packet data with the event; applying a filtering rule to the extracted network packet data to determine an event type associated with the event; adding, based on the determined event type, the event to at least one event stream of the plurality of event streams for each event stream of the plurality of event streams; select, based on the event type for the event stream specified in the configuration information, a component of a plurality of components on the network to which to send the event stream; and send the event stream to the selected component on the network for subsequent processing. - View Dependent Claims (20, 21, 22, 23, 24)
-
-
25. A non-transitory computer-readable storage medium storing instructions that when executed by a computer cause a remote capture agent to perform operations comprising:
-
obtaining configuration information from a configuration server over a network, the configuration information specifying a plurality of event streams to be generated by the remote capture agent and further specifying a respective event type associated with each event stream of the plurality of event streams; monitoring network traffic comprising a plurality of network packets; generating, based on the configuration information, a plurality of events from the network traffic, wherein generating an event of the plurality of events comprises; extracting network packet data from at least one network packet of the plurality of network packets and associating the extracted network packet data with the event; applying a filtering rule to the extracted network packet data to determine an event type associated with the event; adding, based on the determined event type, the event to at least one event stream of the plurality of event streams; for each event stream of the plurality of event streams; selecting, based on the event type for the event stream specified in the configuration information, a component of a plurality of components on the network to which to send the event stream; and sending the event stream to the selected component on the network for subsequent processing. - View Dependent Claims (26, 27, 28, 29, 30, 31)
-
Specification