The following figure illustrates the basic architecture and flow of data with a minimum number of auditing components installed.
In the illustration, each agent connects to one collector. In a production environment, you can configure agents to allow connections to additional collectors for redundancy and load balancing or to prevent connections between specific agents and collectors. You can also add audit stores and configure which connections are allowed or restricted. The size and complexity of the auditing infrastructure depends on how you want to optimize your network topology, how many computers you are auditing, how much audit data you want to collect and store, and how long you plan to retain audit records.
The following figure illustrates the data flow details. You can see which components communicate to other components and in what order. The diagram also includes some port details.
The following diagram shows how the Linux Desktop auditing session data is collected.
Within the Linux Desktop, there's a component called DAX that generates the recorded session data and passes it to the audit daemon. The audit daemon encrypts and passes the recorded session data to the collector. The collector channels session data of different types together and passes that encrypted session data along to the active audit store database.