DEVELOPING COLLECTOR PLUG-INS
This section provides detailed information about developing Sentinel Collector Plug-ins using the Plug-in SDK. Collectors are used to gather data from many different types of endpoint devices, systems, services, and applications. The usual goal is to provide a real-time feed of event log data from the event source, normalize that data to fit the Sentinel Event Schema, and then send the data into Sentinel for analysis and storage. Other types of Collectors are also possible — for example, Collectors are also used to gather identity, host, and vulnerability information — but the vast majority collect event data.
This section of the SDK documentation is split into two parts:
- Collector Development Guide
- The Guide provides a walk-through of a normal Collector development lifecycle along with plenty of examples of common techniques, usage, and best practices.
- Collector Development Topics
- The Topics section provides deep-dive reference material on specific topics of interest.
Collector Development Guide
- Getting Started
- Initial Build
- Plug-in Contents
- Data Parsing
- Build Process
- Event Construction
- Connector Interaction
- Common Code
- Additional Information
Our recommendation is that you start with the Development Guide and walk through the process, then come back to the Development Topics later as necessary.
If you have any questions about how to develop Collectors or feedback about the SDK or this documentation, please post in the Forums.
- Back up to Develop to Sentinel