Manage Data Collectors
View your organization’s current integrated Taegis™ XDR Collectors and monitor their health on the Data Collectors page.
To view your data collectors, from the Secureworks® Taegis™ XDR left-hand side navigation, select Integrations → Data Collectors.
This page displays the data collectors that your organization has configured in a summary card or list view.
Data Collectors
Adjust the Page View ⫘
Switch between the summary card view and the list view of Data Collectors using the buttons at the top left of the page.
Alter Data Collector View
View Collector Status and Health ⫘
The Data Collectors page displays quick-view information about each collector’s current status and recent activity, including:
- Status — The current health status of the collector:
| Status | Description |
|---|---|
| Online | The collector has reported in and all applications are deployed and healthy. |
| Warning | Some of the collector applications have not reported in recently or have failed to deploy correctly. |
| Offline | The collector was previously provisioned but has not reported in recently. |
| Provisioning | The collector has not yet been deployed. |
- Last Log Seen — The timestamp from the past hour when the collector received data from a device in your organization’s environment
Note
N/A indicates that no data has been reported within the last hour.
- Average Hourly Rate — The average data volume seen for this collector in the past hour (bytes/second); hover over the rate for more information
View Detailed Collector Information ⫘
Select a card from the summary card view or the collector name from the list view to open additional details about the collector.
Detailed Collector Information
Summary Tab ⫘
Details ⫘
The left-hand section of the Summary tab displays information about the collector, such as its status, type, creation date, and IP address.
The right-hand section features informational cards:
- Current Data Sources — The total number of data sources, plus a breakdown of which ones are healthy, in a warning state, or producing no data. Select these metrics to view a filtered table of the matching Data Sources.
- Data Usage — Displays the tenant’s data usage for the current month to date. Select this metric to navigate to the Data Usage page.
- Total Events — The total number of events collected by the data collector in the last 24 hours.
Health ⫘
The Health section on the right of the Summary tab displays the current status of the collector, as well as a table of syslog sources reporting data to the collector. This enables you to know which sources are or are not sending data as expected.
By default, this table displays data from the Last Hour. Use the drop-down menu to extend this timeframe up to the Last 30 Days.
Changing the Collector Health Timeframe
Applications ⫘
The Applications section on the left of the Summary tab displays a table of the applications that can be installed on the collector to pull data from devices in your organization's environment, such as eStreamer.
Tip
Hover over the word ’Installed’ to view the expiration date of the application’s certificate.
Performance Tab ⫘
The Data Collector Details Performance tab provides insightful data about the collector throughput and overall performance. The provided graphs can be used to troubleshoot throughput-related issues and to aid in capacity planning.
By default, the Performance tab displays data from the Last Hour. Use the drop-down menu at the top right of the page to extend this timeframe up to the Last 30 Days.
Data Collector Performance
Backlog Age ⫘
The XDR Collector batches and compresses received events. When a batch meets certain size or age criteria, it's moved into a queued line-up for the XDR backend. The Backlog Age graph displays the age of your oldest file in the queue ready for transfer to the backend over the timeframe set for the page.
Under perfect scenarios, this graph remains flat. However, spikes of few seconds (typically less than 60 seconds) are not unusual for devices operating at high capacity. This graph also aids in identifying any potential capacity-related problems. If you spot a monotonically increasing graph or a graph that increases during office hours and returns to zero after hours, this indicates that the device is overwhelmed with the current load, and event delivery may be delayed. This could be due to oversubscribed egress network or QoS throttling.
The table below the graph displays minimum (MIN), maximum (MAX), average (AVG), and last reported (LAST) age values by the device. Each device can be selected individually by clicking on the colored square in the top legend.
Data Collector Backlog Age
Backlog Count ⫘
Similar to the Backlog Age graph, the Backlog Count graph depicts the number of files queued for transfer to the backend over the timeframe set for the page. Troubleshooting tips are the same for the Backlog Count graph as the Backlog Age graph. Signs of capacity or throughput issues may be indicated by increasing graphs, which flatten only after office hours. Causes can include an oversubscribed egress network, QoS throttling, overworked proxies, or overloaded collectors.
The table below the graph displays minimum (MIN), maximum (MAX), average (AVG), and last reported (LAST) count values by the device. Each device can be selected individually by clicking on the colored square in the top legend.
Data Collector Backlog Count
Ingress / Egress ⫘
The Ingress / Egress graph displays the total received (ingress) and transmitted (egress) bytes from the primary network interface on the collector over the timeframe set for the page. It is common to observe higher ingress rates than egress rates as ingress data like syslog and estreamer data are not compressed, but they are compressed on the collector before transmission to the backend.
Should you observe a growth in backlog age or count, it may be helpful to investigate the device's egress rates, especially for a plateau that may indicate saturation of outbound bandwidth. In the Ingress/Egress graph, individual metrics can be selected by clicking the colored box next to Ingress or Egress.
For XDR Collectors in High Availability configurations, each device generates a separate graph.
Data Collector Ingress Egress
Maintenance Tab ⫘
The Data Collector Details Maintenance tab provides information on upcoming and completed service maintenance and allows you to configure a maintenance window that fits your schedule for future maintenance.
Service maintenance involves changes that extend beyond the usual, continuous software delivery and updates and often includes substantial OS or kernel upgrades requiring a device reboot upon completion. The system is built with safety measures such as preflight checks and automated rollbacks for scheduled service maintenance.
Important
We recommend you choose a maintenance window during a minimally disruptive period and at a time you are available to handle potential issues.
Data Collector Maintenance
Maintenance Window Configuration ⫘
The Maintenance Window pane at the left of the Maintenance tab allows you to specify a preferred window for service maintenance. To submit a maintenance window:
- Select the preferred day of the week for service maintenance from the dropdown menu.
- Select the preferred start time in UTC.
- Select the preferred duration.
- Choose Submit Update.
Alterations to these settings can be made at any time. However, note that this only applies to changes not yet scheduled. Once maintenance is scheduled, updating the maintenance window will not affect it. If the device is unhealthy or inaccessible during the scheduled maintenance period, the maintenance operation will not take place.
Data Collector Maintenance Window
Logs Details ⫘
The Logs pane at the right of the Maintenance tab lists future and past device service maintenance.
Upcoming ⫘
In the Upcoming table, details such as the Name, Start Time, Status, and the Deferred state of upcoming service maintenance display. Each upcoming maintenance can be deferred once by selecting the checkbox for the row and choosing Defer Maintenance, which delays the Start Time to the following week.
Data Collector Maintenance Upcoming
The status of Upcoming maintenance may be one of the following:
- Pending — Maintenance has been scheduled.
- Download Ready — Files for the upgrade are being downloaded and staged before maintenance.
- Upgrade Ready — Downloaded files have already been staged successfully.
- Upgrade Running — Maintenance is currently in progress.
- Upgrade Running Rebooting — The device is rebooting after maintenance files installation.
If devices do not regain access within 30 minutes after a reboot, users should contact our Product Support for assistance.
History ⫘
In the History Table, records of previous device service maintenance display, including information on the maintenance Name, Start Time, End Time, and Status. Possible statuses for maintenance history include:
- Complete — The maintenance was completed successfully.
- Failed — The maintenance was not successful, and the device has been restored to its previous state.
Failed maintenances are monitored by Secureworks, and any impediments to successful maintenance are remedied before rescheduling.
Data Collector Maintenance History
Maintenance Notifications ⫘
XDR uses various methods to communicate upcoming maintenance to users.
Email and In-App Notifications ⫘
The Upcoming Data Collector Maintenance option in the Health Status section of User Preferences notifies all users via email and through the XDR in-app notifications about upcoming maintenance.
Data Collector Maintenance Notification Preferences
Data Collector Details Maintenance Banner ⫘
For devices with scheduled maintenance, an information banner displays on the Data Collector Details page, irrespective of the time remaining until the scheduled maintenance or individual notification preference.
Data Collector Maintenance Banner
Service Maintenance FAQ ⫘
What qualifies as service maintenance? ⫘
- Service maintenance involves significant updates and changes that extend beyond regular software updates. This may include major operating system or kernel upgrades that necessitate a reboot of the device to complete the process. Our system incorporates safety features such as preflight checks and automated rollback capabilities to ensure a smooth and secure maintenance experience.
How often does service maintenance occur, and why is the maintenance window set on a weekly basis? ⫘
- Service maintenance is not a weekly occurrence. The weekly maintenance window is established to provide a consistent timeframe that minimizes disruption when maintenance is necessary. This does not imply that maintenance is conducted every week, but rather that there is a designated time slot available for when it is required.
Is there a risk of losing any logs or events during service maintenance? ⫘
- The maintenance process may include a reboot, which could interrupt the transmission of logs. If logs are sent without a reliable delivery method, there is a risk of loss during this time. However, if logs are transmitted using a reliable method (such as TCP), it is up to the sending application to retransmit the logs after the device is back online. The persistence of logs during maintenance largely depends on the delivery mechanism and the behavior of the sending application.
How will I be informed about upcoming service maintenance events? ⫘
- You will receive notifications about upcoming service maintenance if you are subscribed to receive Upcoming Data Collector Maintenance alerts in the Health Status section of User Preferences. When this setting is enabled, you will receive daily email notifications starting one week prior to the scheduled maintenance, providing ample time to prepare for the event.
What are the safeguards in place if an issue arises during scheduled service maintenance? ⫘
- Our system is designed with multiple safety measures to mitigate risks during scheduled service maintenance. Before initiating an upgrade, the Data Collector undergoes preflight checks to ensure it is in a healthy state. If the system proceeds with the maintenance and encounters any critical issues, it is designed to perform an automatic rollback, rebooting into the prior stable version. In the rare case that the device becomes unresponsive, you will be notified of the device's status in the same manner as you would in any other situation where the device encounters an issue.
Download Files ⫘
To view and download all of the available files for the collector, such as credentials, .ISO, and .OVA, from the collector details, select Actions and choose Download Collector Files. There is also a link to the installation instructions.
Edit a Collector Name or Description ⫘
To rename a collector or edit its description, select the edit icon 
next to the name or description, enter your changes, and then choose Save.
Edit a Collector Configuration ⫘
Note
You must be a Tenant Administrator to edit a collector.
To edit certain configuration parameters of a running and healthy XDR Collector with a "READY" status, select Actions and choose Edit Collector Configuration
Important
Making changes to the XDR Collector configuration of a live system carries the risk of rendering the device inoperable. The XDR Collector will make every attempt possible to rollback to the previous configuration when a configuration change is unsuccessful. XDR Collector configuration changes should be treated with the same level of caution used for any other kind of change in your environment according to your risk and change management guidelines. You should always be prepared to redeploy the device.
For more information, see the following, dependent on collector type: AWS Data Collector, Azure Data Collector, Google Cloud Platform (GCP) Data Collector or On-Premises Data Collector.
Delete a Collector ⫘
Note
If you do not have login access to XDR, have someone who does help you complete any steps that require access. You can also contact your Secureworks® representative for help.
Note
You must be a Tenant Administrator to delete a collector.
To remove a collector:
- From the XDR left side navigation, hover over Integrations and select Data Collectors.
- Depending on your view of the page, either select the desired summary card or the collector name from the list to open the collector details.
- Choose Delete from the Actions dropdown menu.
- Confirm that you want to delete the collector.
Deleting a Collector