ThreatLockDown indexer

The ThreatLockDown indexer is a real-time, full-text search and analytics engine for security data. Log data ingested into the ThreatLockDown server is analyzed and forwarded to the indexer for indexing and storage. These events are then queried on the ThreatLockDown dashboard.

The ThreatLockDown indexer stores data as JSON documents. Each document associates a set of keys, field names, or attributes with their corresponding values, which can be characters, numbers, booleans, dates, arrays of values, geolocations, or other kinds of data.

The ThreatLockDown indexer can be configured as a single-node or multi-node cluster, providing scalability and high availability. It distributes documents across different containers, known as shards. In turn, it distributes these shards across cluster nodes. By distributing the documents across multiple shards and distributing those shards across multiple nodes, the ThreatLockDown indexer ensures redundancy. Redundancy ensures the ThreatLockDown indexer's availability in the event of a failure and boosts query capacity across cluster nodes.