Architecture highlights


  • High storage capacity
    • Unlimited volume support.
    • Information distributed in blocks and classified by date, client, data type, technology and more.
    • Real-time data compressing and decompressing.
    • Storage distributed globally with a high level of redundancy.
    • Automatic scalability for automated cloud environments (for example, Amazon Web Services).

  • Linear scalability
    • Devo scales automatically on every component of the architecture to ensure optimal performance.

  • Wide range of supported data types
    • Structured and unstructured data.
    • Databases, text files, social networks and more.
    • Syslog, Syslog-ng. Rsyslog, HTTP, FTP, Netflow, WMI, SDE, SNMP, JDBC, SMTP, dedicated APIs...
    • Secure communications over SSL/TLS through the use x509v3 certificate authentication.

Event processing

These are the main steps involved when processing the events:

Event injection
  • A machine/process creates an event that is sent or collected, compressed, authenticated, encrypted and transported to the ELB (Event Load Balancer).
  • The ELB decrypts the data received through the SSL/TLS channel and distributes the events between data nodes.
Event classification and storage
  • The collector engine receives the event and classifies it using the log tag information.
  • Each event is saved along with the account ID that identifies the client and the technology defined by the tag.
  • Each event is redeposited in a specific Devo-defined file system where several files are created using the event tag information. 
  • Each of these files is kept open and is populated by the collection engine with the corresponding events every 24h periods.
Event query
  • When you execute a query using the web interface, the query syntax is controlled automatically.
  • The query engine receives the query in real-time, then it executes the query, filters, and creates all requested aggregations. 
  • In the case of a distributed query architecture, the query is sent to all the data nodes and the data is delivered to the client/API.
Working with events

These are the three types of engines involved:

1. Correlation engine

  • Receives a correlation query to be run continuously against all newly ingested events. 
  • When a match is found, a new correlation event is created.

2. Aggregation engine

  • Receives a query, creates a continuous aggregation task against the query engine, and stores all aggregation values requested by the query in the aggregation database.

3. Alert engine

  • When an event from the correlation engine is written to the alert table, this engine triggers the distribution of the alert.  

Have we answered your question?

If not, please contact our technical support team via email by clicking the button below.