Collector Builder is a standalone application that is used to build, configure and debug Collectors. This application serves as an integrated development environment (or IDE) that allows the user to create new Collectors to parse data from source devices using a special-purpose interpretive language designed to handle the nature of network and security events.
ESM introduces a new hierarchy of deployment objects that allow users to group multiple connections into sets. The hierarchy is as follows:
The Event Source, Event Source Server, Collector, and Connector are configuration related objects and can be added through the ESM user interface.
Event Source: This node represents a connection to a specific source of data, such as a specific file, firewall or Syslog relay, and contains the configuration information necessary to establish the connection. The health of this node represents the health of the connection to the data source. This node will send raw data to its parent Connector node.
Event Source Server: This node represents a deployed instance of a server-type Connector plug-in. Some protocols, such as Syslog UDP/TCP, NAudit and others, push their data from the source to a server that is listening to accept the data. The Event Source Server node represents this server and can be configured to accept data from protocols that are supported by the selected Connector plugin. This node will redirect the raw data it receives to an Event Source node that is configured to receive data from it.
Collector: This node represents a deployed instance of a Collector Script. It specifies which Collector Script to use as well as the parameter values with which the Collector should run. This node will send Sentinel events to its parent Collector Manager node.
Connector: This node represents a deployed instance of a Connector plugin. It includes the specification of which Connector plug-in to use as well as some configuration information, such as "auto-discovery." This node will send raw data to its parent Collector node.