Forwarders as local collectors

Forwarders are used to collect events within clients’ on-premises networks. Details about their design and functionality can be found in the section Layer 1: Local Collection (Forwarder).

Including a native Forwarder within the platform architecture provides significant operational and security advantages in SOC environments, especially in multi-tenant, large-scale, and regulated infrastructures.

Guaranteed Data Integrity and Reliability The Forwarder ensures zero log loss, even under adverse network conditions. By persisting all incoming events to local disk before forwarding them to the central collector, it creates a resilient buffering layer that continues to operate even when communication with the SOC platform is temporarily disrupted. Once the connection is restored, all pending logs are automatically transmitted, maintaining full event continuity and auditability.

End-to-End Encryption and Secure Data Transport All communications between the Forwarder and the platform are encrypted using TLS anti-SSL pining, guaranteeing that log data is never transmitted in clear text, even across untrusted or hybrid networks. This provides confidentiality and integrity for sensitive telemetry, meeting the most stringent compliance frameworks (GDPR, ISO 27001, NIS2, etc.).

Format-Agnostic Log Collection The Forwarder is agnostic to log formats and devices, capable of ingesting any data type transported over TCP or UDP. This flexibility enables seamless integration of legacy, custom, and modern sources—ranging from firewalls and operating systems to SaaS and cloud services—without depending on external collectors or third-party agents.

Operational Independence and Local Control Deploying the Forwarder inside the client’s private network ensures that data ownership and processing remain under local control, while still feeding the central SOC analytics environment. This design supports data sovereignty requirements and allows MSSPs and enterprises to maintain full control over what data leaves their perimeter.

Performance and Scalability Optimization The Forwarder performs local preprocessing, compression, and flow control, optimizing bandwidth usage and ensuring consistent throughput even during peak ingestion periods. It scales horizontally across multiple customer environments and integrates seamlessly with container-based or bare-metal deployments.

Reduced Dependency on Third-Party Collectors By providing its own log transport layer, the platform eliminates reliance on external agents or proprietary vendor connectors. This not only reduces licensing and maintenance costs, but also ensures that the entire ingestion, encryption, and delivery process remains under full architectural control of the SOC platform.

Requirements

Next are the key points about Forwarder capabilities and performance:

• Log collection on-premise by any transport protocol and event format.

• Log compression and disk persistence before sending to next step: a cloud collector or another chained Forwarder.

• Ship logs to cloud using one single encrypted channel. One single TCP port.

• It ensures no event loss in case of communication issues, firewall misconfigurations, or cyberattacks..

• Great performance: 2GB of RAM & 2 CPU threads to ship ~20.000 EPS.