Guardian with Remote Collectors

A description of how Remote Collectors and Guardians work together.

General

Guardian lets you monitor the health of all the Remote Collectors that are connected to it.

In Guardian, you can select the Sensors page to inspect the health of the Remote Collectors. When you select a Remote Collector, an information pane shows on the right with detailed information. This includes the health status of the Remote Collector, and the timestamp of the last received payload traffic.

At the bottom of the pane, a list of Remote Collector network interfaces is shown.. For each network interface, there is a Configure button that lets you:

Upload a denylist
Enable a denylist
Disable a denylist

It also lets you set, or unset, Berkeley Packet Filter (BPF) in the same way as for the Guardian network interfaces.

Guardian system health

Guardian's system health is communicated through qualitative strings. The possible values for system health are:

Unreachable
Poor
Average
Good

The system health is a weighted average of:

The unreachable status indicates a sensor that has not reached out to the Guardian for a long time and is considered stale. The other health levels (poor, average and good) are determined based on resource usage.

If all of the values of RAM, disk, or CPU usage are less than 80%, the status is good.

If at least one of these values is over 80%, the below formula is used to calculate the status:

Average: {RAM (38%)+ Disk (66%)+ CPU(99%)} = 68%

100%-68%= 32%

If the result is less than 30, the status is Poor

If the result is greater than 30, but less than 80, the status is Average

If the result is greater than 80, the status is Good

Packet origins

The origin of the packets is tracked internally by Guardian and is displayed in several locations, such as in the Nodes tab of the Network page.