I am looking for some clarification on how the multi-server architecture works regarding the roles of agents. My current understanding is that the agents on multiple machines stream their logs to the central LAPI. Bouncers also connect to the LAPI independent of whether there is an agent running on their local machine. Hence, if I can have the LAPI ingest logs from a central log store, I would not need to deploy any agents at all, just the LAPI and bouncers. Is are these assumptions correct thus far?
My current understanding is that the agents on multiple machines stream their logs to the central LAPI
No, they only sends alerts triggered by the local log sources to said engine.
Hence, if I can have the LAPI ingest logs from a central log store, I would not need to deploy any agents at all, just the LAPI and bouncers. Is are these assumptions correct thus far?
Yes, if you already centralize your logs then you just need to deploy the single LAPI to read them. Remember depending on the size of logs you would need to scale horizontally (More CPU, RAM). However, if your not over 20 million logs per minute then you should be find with a standard VM.