Zentral is built around events from the ground-up and connects seamlessly to event stores and SIEMs.
At its heart, Zentral has an event pipeline. Every agent request, log entry, and every status change triggers an event that is emitted, enriched, and shipped to the configured event stores.
To complement its current state, each device has an audit trail available that is composed of all collected events for context. This gives you detailed visibility into agent interactions and device status changes, and is extremely helpful during troubleshooting.
Zentral also generates events itself, for configuration changes, user logins, logouts and failed login attempts, for example. These can be leveraged to add an extra layer of security.
In standard production environments Zentral provides an event store (OpenSearch, or Elasticsearch). However, Zentral can ship the events to multiple stores because of its modular architecture. For example, you can configure Zentral to ship all the Osquery results from any given Osquery pack and all the inventory OS updates to your InfoSec Splunk instance.
You do not have to build your own pipeline: Zentral already knows how to interact with the stores directly. Zentral also comes with monitoring for the routing integration on board. Should you have a custom application you can also ship to AWS Kinesis. With Zentral you get an abundance of flexibility.
Raw events can be hard to work with, so for each event it processes or generates, Zentral encapsulates the data into a normalized structure. Zentral then enriches the events and adds relevant inventory information (identfiers, groups, etc.) to machine events. If an event originated from a HTTP request, Zentral also adds user agent, IP address and geolocation.
This extra information that Zentral collects, prepares and harmonizes from all the sources it connects to is also made available to event customers in their store of choice without granting direct access to Zentral itself.
We help you connect your event store of choice to Zentral. There is no need to deploy an extra service, you can use your existing infrastructure.
Design and configure a complex event routing, so that the right events are shipped to the right teams and tools.
We provide support for use cases not currently covered by our modules. If you need it, you will get an integration with a custom Service Now setup, for example.