Separate nDepth Server(s) vs. Kiwi Syslog ...or both

tpmobley

For setting up log management (both Syslogs and Windows Event Logs) at remote sites, what is the best way to go when using LEM?

1. Kiwi Syslog Server: have both Syslogs (from network devices, UPSs, etc.) and Windows Event Logs (converted to Syslogs with Log Forwarder for Windows) sent to a Kiwi Syslog server at each site, which then filters, compresses and sends logs over the WAN to one LEM Management Server/Virtual Appliance.
2. nDepth Servers: have Syslogs and Windows Event Logs sent over the WAN to nDepth VMs (one for each site), which are then referenced by one LEM Management Server/Virtual Appliance.
3. Virtual Appliances: have Syslogs and Windows Event Logs sent over the WAN to multiple LEM Management Servers/Virtual Appliances.
4. Combination: send Syslogs and Windows Event Logs sent to on-site Kiwi Syslog Server, which forwards to nDepth Servers referenced by multiple LEM Management Servers/Virtual Appliances.

Questions about the above:

• Licensing: When Windows Event Logs are converted to Syslogs with Log Forwarder, are those nodes then counted as Workstation or Universal Licenses?
• Database: When required to retain logs for a year, is it best to use a separate nDepth server from your Management Server(s)?
• Performance: Storage aside, is it best to have multiple Management Servers for performance reasons?

jrouviere

Here are some of my thoughts on this question, but if you're wanting to make configuration changes based on these answers I would confirm it with Support first:

Licensing - Last I was aware, monitoring windows nodes via the syslog even forwarder isn't supported.  That's what the agent is for.  If you are able to get the data to flow through and it is reaching the LEM, then it should follow the same rules.  Typically you are charged license by the node, but in reality you're charged by the IP address where the logs are generated.  So seeing the source IP addresses for the forwarded machines, just like with your syslog nodes and Kiwi, you're still going to consume a license per node.  Using Kiwi doesn't create a situation where you're monitoring less nodes, in fact, each kiwi server would take up its own license at least if you're using it with the agent.

Database - There are some missing variables here.  Having separate ndepth servers would make it so that the ndepth database doesn't impact the retention of the alert database if you have separate appliances for that, but there's no way for me to say that by doing that you will reach 1 year retention.  That would require setting it up or at least knowing what your setup is now and we could make some educated guesses, but you wouldn't know for sure without some additional data.  This may be something worth reaching out to Support in order to get a better picture.

Performance - This depends on how you're setting it up again.  All of your Kiwi servers, agents, ndepth and syslog servers are all going to eventually send their data to one management server.  If you are generating 200-400 million events per day and are correctly sized and configured you should be fine with one management server.  In some cases it might be worth having in-region management servers, but in general if you're not generating enough events to warrant it, one management server should suffice.

In case you haven't seen it, here is a KB for that event number that can get you started with some of that information and another KB on database retention:

LEM system requirements - SolarWinds Worldwide, LLC. Help and Support

Live Data Storage Retention in LEM - SolarWinds Worldwide, LLC. Help and Support