Agent-based gathering process:
- The GatheringEngine sends the configuration to the remote agent.
- The GatheringEngine asks the remote agent for data and waits to receive it.
- The remote agent reads the data either from the event log or the client-side cache (agent-side log backup) (depending on the caching settings)
- The remote agent applies filters and writes temporary files in the ‘Repository File’ format:
- At least 1 ‘Repository File’ for gathering to a repository.
- At least 1 ‘Repository File’ for gathering to an audit database.
- The number of ‘Repository Files’ is dependent on the size of the data (Max 8MB uncompressed - configurable).
5. The temporary files are communicated to GatheringEngine:
- When a buffer size reaches 8 MB (configurable) of event data, the 'Repository File' is ready to delivery
- The remote agent waits for acknowledgement from GatheringEngine (i.e., GatheringEngine is ready to receive new data).
- The remote agent sends data to GatheringEngine. Note that new data will not be written to a 'Repository File' if the. previous file is not sent; also, the agent must be notified by GatheringEngine about data successfully put into a storage.
6. The GatheringEngine writes the temporary ‘Repository File’ into a temporary folder on the InTrust server.
- If data is being gathered to a repository, the ‘Repository File’ is moved to the repository.
- If data is being gathered to an audit database, the data is extracted from the ‘Repository File’ and imported into the audit database.