The SmartEvent Architecture

SmartEvent has some components that work together to help track down security threats and make your network more secure.

This is how they work together. The numbers refer to the diagram:

SmartEvent Correlation Unit (3) analyzes log entries on Log Servers (2) and stores the event in the same way the log server stores logs.
SmartEvent Server (4) contains the Events Database (5).
The SmartEvent and SmartConsole clients (6) manage the SmartEvent Server.

SmartEvent Traffic Architecture

Item	Description	Purpose
		Log data flow
		Event data flow
1	Check Point Security Gateway	Sends logs to the Log Server.
2	Log Server	Stores logs.
3	SmartEvent Correlation Unit	Identifies events: Analyzes each log entry from a Log Server, and looks for patterns according to the installed Event Policy. The logs contain data from Check Point products and certain third-party devices. When a threat pattern is identified, the SmartEvent Correlation Unit forwards the event to the SmartEvent Server.
4	SmartEvent Server	The SmartEvent Server: Indexes logs for SmartView Defines the event policy Manages correlation units
5	Events database	Stores events. Located on the SmartEvent Server.
6	SmartEvent client	Shows the received events. Uses the clients to manage events (for example: to filter and close events), fine-tunes, and installs the Event Policy. The clients are: SmartConsole SmartView Web Application

The SmartEvent components can be installed on one computer (that is, a standalone deployment) or multiple computers and sites (a distributed deployment). To handle higher volumes of logging activity, we recommend a distributed deployment. Each SmartEvent Correlation Unit can analyze logs from more than one Log Server or Domain Log Server.