How Replay Works

Replay requires a source LogLogic ST Appliance and a destination LogLogic LX Appliance to be configured in a Management Station relationship.

The LogLogic ST Appliance must be a Management Station that manages the LogLogic LX Appliance. The Management Station relationship ensures that you manage Replay sessions correctly.

Warning: When using Replay, the LogLogic LX Appliance must not be set up as a Management Station. If the configuration is not correct, replay does not work.
Note: Archived real-time files on the source LogLogic ST Appliance are always rediscovered during a Replay session whether or not a search filter is used. Rediscovering real-time files lets additional devices be recognized that were not known during the initial capture by the LogLogic LX Appliance or LogLogic ST Appliance. However, file-based logs are not rediscovered at this time.

Pulled files are always replayed as a whole file. However, real-time logs can be subjected to filtering.

The source LogLogic ST Appliance and destination LogLogic LX Appliance manage the progress of each Replay session. Therefore, if at any point a Replay session is interrupted (for example, the network goes down or the appliance service is not available):

  1. The source LogLogic ST Appliance keeps trying to replay data infinitely until a connection is re-established.
  2. Once the connection is re-established, the data transfer resumes where it left off. After the replay is completed, the Replay Status is updated to 'completed' on the Replay Status tab.

How a Replay session works

  1. The scheduled Replay session starts.
  2. Replay gathers the appropriate archived data on the source LogLogic ST Appliance based on the Replay rules specified in the Replay session. The source LogLogic ST Appliance notifies the destination LogLogic LX Appliance how many files it is transferring.
  3. The source LogLogic ST Appliance transfers the appropriate archived log data to the destination LogLogic LX Appliance. Authentication and encryption are used only if configured for the Replay session.
  4. All log data is received by the destination LogLogic LX Appliance, so the LogLogic LX Appliance begins processing the data as new data. Log data is received by LLTCP-HTTP.
  5. After all log data is processed by the destination LogLogic LX Appliance, it notifies the source LogLogic ST Appliance that the Replay session is completed.
  6. The source LogLogic ST Appliances ends the Replay session and updates the status to completed.
    Note: The maximum replay number is 16. Canceled and completed replays are not included in the total number.

    The user must have Search Archived Data privileges on the LogLogic ST Appliance to replay the archived data. For more information on user privileges, see User Privileges.