Let me just jump in and clarify 🙂
Dedicated data node has the functions for filtering and parsing data, so we have full access to filter out or drop portion of the data before sending it to database. Parser is very flexible on that regard.
For storing data and securing them locally on dedicated node it is always best idea to use database. Energy Logserver database is most flexible and the best approach to secure data on dedicated node.
Because of parser flexibility we do have other options, like storing data in temporary file, but database is still best option.
And finally for SIEM components - if possible it a good idea to install correlation engine on dedicated node, but it is not a strict requirement. SIEM agent can send data to parser through syslog and then parser will deliver that data to remote correlation engine. This mainly depends on the surrounding conditions, like: network stability, performance of dedicated data node, data storage and so on.
Hope it helps. If you have any further questions - ask away 😉