Program architecture
The standard program installation includes the following components:
- One or more Collectors that receive messages from event sources and parse, normalize, and, if required, filter and/or aggregate them
- A Correlator that analyzes normalized events received from Collectors, performs the necessary actions with active lists, and creates alerts in accordance with the correlation rules
- The Core that includes a graphical interface to monitor and manage the settings of system components.
- The Storage, which contains normalized events and registered incidents
Events are transmitted between components over optionally encrypted, reliable transport protocols. You can configure load balancing to distribute load between service instances, and it is possible to enable automatic switching to the backup component if the primary one is unavailable. If all components are unavailable, events are saved to the hard disk buffer and sent later. The buffer disk size for temporary event storage can be adjusted.
KUMA architecture