When data federation is enabled, you can perform a search or run a report on one server and have it automatically run a search or report across the selected remote servers. The server on which the search is initiated is referred to as the authorized requestor, and the remote servers are referred to as the data sources or data source servers.
When you run a search or report on the authorized requestor, the following happens:
Search queries are sent to each selected data source server
Data source server authenticates the authorized requestor server
Event or alert data is returned to the authorized requestor, where it is merged, sorted, and rolled up for presentation
The search status for each data source server is displayed.
Search results contain information about data source servers from which they originated.