Components

Astral is composed of a set of modular and specialized components that work together to deliver scalable data ingestion, high-performance analysis, correlation, and detection. Each component has a well-defined responsibility within the SIEM architecture, allowing Astral to scale horizontally, maintain high availability, and adapt to different operational and ingestion requirements.

The component-based architecture enables flexible deployment models, where processing, storage, and analysis responsibilities are distributed across dedicated services. This approach supports environments with high data volumes, multiple Astral instances, and strict performance and isolation requirements.

The main components that form the Astral SIEM architecture are described below. Each component is documented in detail in its own dedicated page.

Cluster Manager

The Cluster Manager is the core management service of Astral, installed directly on the host server as a system service. It is responsible for centralized and automated deployment of Astral components, enabling consistent provisioning and lifecycle management of the SIEM infrastructure.

Through the Cluster Manager, Astral instances and supporting services can be deployed, configured, and maintained in a standardized manner, reducing operational complexity and manual intervention.

Astral Indexer

The Astral Indexer is responsible for indexing and storing ingested data. It handles the persistence and retrieval of events, logs, and telemetry, ensuring fast and reliable access to large volumes of security data.

Astral Indexers are deployed using Docker on the host machine and are designed to scale horizontally according to ingestion and retention requirements.

Astral Balancer

The Astral Balancer acts as a preconfigured load balancer for search and query operations. It distributes search requests across multiple Astral Indexer instances, ensuring high performance, efficient resource utilization, and high availability.

By abstracting query distribution, the Astral Balancer provides a consistent and responsive search experience even in environments with large data sets and multiple indexers.

Astral Correlator

The Astral Correlator is responsible for data correlation and detection logic execution. It processes normalized events, evaluates correlation rules, and identifies anomalies, suspicious behavior, and security incidents.

This component executes Astral’s detection logic, including YARA-based rules, and generates structured detections that feed downstream response and automation workflows.

Astral Agent

The Astral Agent is the monitoring and collection component responsible for ingesting data from multiple sources. It performs monitoring of operating systems, files, network traffic, and other supported data sources, acting as the primary bridge between the environment and the Astral SIEM.

The agent ensures consistent, reliable, and secure data collection across different platforms and environments.