🌙
 

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Manage Data Collectors

data collectors integrations


View your organization’s current integrated Taegis™ XDR Collectors and monitor their health on the Data Collectors page.

To view your data collectors, from the Secureworks® Taegis™ XDR left-hand side navigation, select Integrations → Data Collectors.

This page displays the data collectors that your organization has configured in a summary card or list view.

Data Collectors

Data Collectors

Adjust the Page View

Switch between the summary card view and the list view of Data Collectors using the buttons at the top left of the page.

Alter Data Collector View

Alter Data Collector View

View Collector Status and Health

The Data Collectors page displays quick-view information about each collector’s current status and recent activity, including:

Status Description
Online The collector has reported in and all applications are deployed and healthy.
Warning Some of the collector applications have not reported in recently or have failed to deploy correctly.
Offline The collector was previously provisioned but has not reported in recently.
Provisioning The collector has not yet been deployed.


Note

N/A indicates that no data has been reported within the last hour.

View Detailed Collector Information

Select a card from the summary card view or the collector name from the list view to open additional details about the collector.

Detailed Collector Information

Detailed Collector Information

Summary Tab

Details

The left-hand section of the Summary tab displays information about the collector, such as its status, type, creation date, and IP address.

The right-hand section features informational cards:

Health

The Health section on the right of the Summary tab displays the current status of the collector, as well as a table of syslog sources reporting data to the collector. This enables you to know which sources are or are not sending data as expected.

By default, this table displays data from the Last Hour. Use the drop-down menu to extend this timeframe up to the Last 30 Days.

Changing the Collector Health Timeframe

Changing the Collector Health Timeframe

Applications

The Applications section on the left of the Summary tab displays a table of the applications that can be installed on the collector to pull data from devices in your organization's environment, such as eStreamer.

Tip

Hover over the word ’Installed’ to view the expiration date of the application’s certificate.

Performance Tab

The Data Collector Details Performance tab provides insightful data about the collector throughput and overall performance. The provided graphs can be used to troubleshoot throughput-related issues and to aid in capacity planning.

By default, the Performance tab displays data from the Last Hour. Use the drop-down menu at the top right of the page to extend this timeframe up to the Last 30 Days.

Data Collector Performance

Data Collector Performance

Backlog Age

The Taegis™ XDR Collector batches and compresses received events. When a batch meets certain size or age criteria, it's moved into a queued line-up for the Taegis™ XDR backend. The Backlog Age graph displays the age of your oldest file in the queue ready for transfer to the backend over the timeframe set for the page.

Under perfect scenarios, this graph remains flat. However, spikes of few seconds (typically less than 60 seconds) are not unusual for devices operating at high capacity. This graph also aids in identifying any potential capacity-related problems. If you spot a monotonically increasing graph or a graph that increases during office hours and returns to zero after hours, this indicates that the device is overwhelmed with the current load, and event delivery may be delayed. This could be due to oversubscribed egress network or QoS throttling.

The table below the graph displays minimum (MIN), maximum (MAX), average (AVG), and last reported (LAST) age values by the device. Each device can be selected individually by clicking on the colored square in the top legend.

Data Collector Backlog Age

Data Collector Backlog Age

Backlog Count

Similar to the Backlog Age graph, the Backlog Count graph depicts the number of files queued for transfer to the backend over the timeframe set for the page. Troubleshooting tips are the same for the Backlog Count graph as the Backlog Age graph. Signs of capacity or throughput issues may be indicated by increasing graphs, which flatten only after office hours. Causes can include an oversubscribed egress network, QoS throttling, overworked proxies, or overloaded collectors.

The table below the graph displays minimum (MIN), maximum (MAX), average (AVG), and last reported (LAST) count values by the device. Each device can be selected individually by clicking on the colored square in the top legend.

Data Collector Backlog Count

Data Collector Backlog Count

Ingress / Egress

The Ingress / Egress graph displays the total received (ingress) and transmitted (egress) bytes from the primary network interface on the collector over the timeframe set for the page. It is common to observe higher ingress rates than egress rates as ingress data like syslog and estreamer data are not compressed, but they are compressed on the collector before transmission to the backend.

Should you observe a growth in backlog age or count, it may be helpful to investigate the device's egress rates, especially for a plateau that may indicate saturation of outbound bandwidth. In the Ingress/Egress graph, individual metrics can be selected by clicking the colored box next to Ingress or Egress.

For Taegis™ XDR Collectors in High Availability configurations, each device generates a separate graph.

Data Collector Ingress Egress

Data Collector Ingress Egress

Maintenance Tab

The Data Collector Details Maintenance tab provides information on upcoming and completed service maintenance and allows you to configure a maintenance window that fits your schedule for future maintenance.

Service maintenance involves changes that extend beyond the usual, continuous software delivery and updates and often includes substantial OS or kernel upgrades requiring a device reboot upon completion. The system is built with safety measures such as preflight checks and automated rollbacks for scheduled service maintenance.

Important

We recommend you choose a maintenance window during a minimally disruptive period and at a time you are available to handle potential issues.

Data Collector Maintenance

Data Collector Maintenance

Maintenance Window Configuration

The Maintenance Window pane at the left of the Maintenance tab allows you to specify a preferred window for service maintenance. To submit a maintenance window:

  1. Select the preferred day of the week for service maintenance from the dropdown menu.
  2. Select the preferred start time in UTC.
  3. Select the preferred duration.
  4. Choose Submit Update.

Alterations to these settings can be made at any time. However, note that this only applies to changes not yet scheduled. Once maintenance is scheduled, updating the maintenance window will not affect it. If the device is unhealthy or inaccessible during the scheduled maintenance period, the maintenance operation will not take place.

Data Collector Maintenance Window

Data Collector Maintenance Window

Logs Details

The Logs pane at the right of the Maintenance tab lists future and past device service maintenance.

Upcoming

In the Upcoming table, details such as the Name, Start Time, Status, and the Deferred state of upcoming service maintenance display. Each upcoming maintenance can be deferred once by selecting the checkbox for the row and choosing Defer Maintenance, which delays the Start Time to the following week.

Data Collector Maintenance Upcoming

Data Collector Maintenance Upcoming

The status of Upcoming maintenance may be one of the following:

If devices do not regain access within 30 minutes after a reboot, users should contact our Product Support for assistance.

History

In the History Table, records of previous device service maintenance display, including information on the maintenance Name, Start Time, End Time, and Status. Possible statuses for maintenance history include:

Failed maintenances are monitored by Secureworks, and any impediments to successful maintenance are remedied before rescheduling.

Data Collector Maintenance History

Data Collector Maintenance History

Maintenance Notifications

Taegis™ XDR uses various methods to communicate upcoming maintenance to users.

Email and In-App Notifications

The Upcoming Data Collector Maintenance option in the Health Status section of User Preferences notifies all users via email and through the Taegis™ XDR in-app notifications about upcoming maintenance.

Data Collector Maintenance Notification Preferences

Data Collector Maintenance Notification Preferences

Data Collector Details Maintenance Banner

For devices with scheduled maintenance, an information banner displays on the Data Collector Details page, irrespective of the time remaining until the scheduled maintenance or individual notification preference.

Data Collector Maintenance Banner

Data Collector Maintenance Banner

Service Maintenance FAQ

What qualifies as service maintenance?

Service maintenance involves significant updates and changes that extend beyond regular software updates. This may include major operating system or kernel upgrades that necessitate a reboot of the device to complete the process. Our system incorporates safety features such as preflight checks and automated rollback capabilities to ensure a smooth and secure maintenance experience.

How often does service maintenance occur, and why is the maintenance window set on a weekly basis?

Service maintenance is not a weekly occurrence. The weekly maintenance window is established to provide a consistent timeframe that minimizes disruption when maintenance is necessary. This does not imply that maintenance is conducted every week, but rather that there is a designated time slot available for when it is required.

Is there a risk of losing any logs or events during service maintenance?

The maintenance process may include a reboot, which could interrupt the transmission of logs. If logs are sent without a reliable delivery method, there is a risk of loss during this time. However, if logs are transmitted using a reliable method (such as TCP), it is up to the sending application to retransmit the logs after the device is back online. The persistence of logs during maintenance largely depends on the delivery mechanism and the behavior of the sending application.

How will I be informed about upcoming service maintenance events?

You will receive notifications about upcoming service maintenance if you are subscribed to receive Upcoming Data Collector Maintenance alerts in the Health Status section of User Preferences. When this setting is enabled, you will receive daily email notifications starting one week prior to the scheduled maintenance, providing ample time to prepare for the event.

What are the safeguards in place if an issue arises during scheduled service maintenance?

Our system is designed with multiple safety measures to mitigate risks during scheduled service maintenance. Before initiating an upgrade, the Data Collector undergoes preflight checks to ensure it is in a healthy state. If the system proceeds with the maintenance and encounters any critical issues, it is designed to perform an automatic rollback, rebooting into the prior stable version. In the rare case that the device becomes unresponsive, you will be notified of the device's status in the same manner as you would in any other situation where the device encounters an issue.

Download Files

To view and download all of the available files for the collector, such as credentials, .ISO, and .OVA, from the collector details, select Actions and choose Download Collector Files. There is also a link to the installation instructions.

Edit a Collector Name or Description

To rename a collector or edit its description, select the edit icon edit icon next to the name or description, enter your changes, and then choose Save.

Edit a Collector Configuration

Note

You must be a Tenant Administrator to edit a collector.

To edit certain configuration parameters of a running and healthy Taegis™ XDR Collector with a "READY" status, select Actions and choose Edit Collector Configuration

Important

Making changes to the Taegis™ XDR Collector configuration of a live system carries the risk of rendering the device inoperable. The Taegis™ XDR Collector will make every attempt possible to rollback to the previous configuration when a configuration change is unsuccessful. Taegis™ XDR Collector configuration changes should be treated with the same level of caution used for any other kind of change in your environment according to your risk and change management guidelines. You should always be prepared to redeploy the device.

For more information, see the following, dependent on collector type: AWS Data Collector, Azure Data Collector, Google Cloud Platform (GCP) Data Collector or On-Premises Data Collector.

Delete a Collector

Note

If you do not have login access to Secureworks® Taegis™ XDR, have someone who does help you complete any steps that require access. You can also contact your Secureworks® representative for help.

Note

You must be a Tenant Administrator to delete a collector.

To remove a collector:

  1. From the Taegis™ XDR left side navigation, hover over Integrations and select Data Collectors.
  2. Depending on your view of the page, either select the desired summary card or the collector name from the list to open the collector details.
  3. Choose Delete from the Actions dropdown menu.
  4. Confirm that you want to delete the collector.

Deleting a Collector

Deleting a Collector

 

On this page: