In a single host JSA deployment, you have an All-in-One JSA appliance that is a single server which collects data, such as syslog event data logs, and Windows events, and also flow data, from your network.
An All-in-One appliance is suitable for a medium-sized company that has low exposure to the Internet, or for testing and evaluation purposes. Single server deployments are suitable for companies that monitor network activity and events such as authentication services and firewall activity.
An All-in-One appliance provides you with the capabilities that you need, up to a specific capacity that is determined by your license and the hardware specifications of the system.
Manufacturing company deploys a single JSA server
You are a medium-sized manufacturing company with less than 1000 employees. You deploy a JSA All-in-One appliance to collect, process, and monitor event and flow data. With that deployment, you can collect up to 5,000 events per second (EPS), and 200,000 flows per minute (FPM).
The following diagram shows an All-in-One appliance, which collects data from event and flow sources, processes the data, and provides a web application where you can search, monitor, and respond to security threats.
An All-in-One appliance performs the following tasks:
Collects event and network flow data, and then normalizes the data in to a data format that JSA can use.
Analyzes and stores the data, and identifies security threats to the company.
Provides access to the JSA web application.
As your data sources grow, or your processing or storage needs increase, you can add appliances to expand your deployment.