Community
- Command Central
- MVP Program
- Monthly Mission
- Blogs
- Groups
- Events
- Media Vault
Products
- Observability
- Network Management
- Application Management
- IT Security
- IT Service Management
- System Management
- Database Management
Content Exchange
- SolarWinds Platform
- Server & Application Monitor
- Database Performance Analyzer
- Server Configuration Monitor
- Network Performance Monitor
- Network Configuration Manager
- SQL Sentry
- Web Help Desk
Free Tools & Trials
Store

Distributed architecture?

Does LEM support any form of distributed architecture that would allow you to have collectors at different locations and/or networks where the data is then rolled up into a single interface for visualization, searching and reporting?

Find more posts tagged with

Accepted answers

All comments

curtisi

Yes. The solution would be deploying something like Kiwi Syslog Server in different network segments. Devices in those segments would send their syslog data to their segment's Kiwi server. The Kiwi machine would have the LEM Agent installed, which would take the data, normalize it, and send it on to the LEM for visualization, correlation and rules. The LEM would show the Kiwi server(s) as nodes, and the Kiwi servers would see the individual source hardware.

byrona

Hrm, I actually thought about this a while back and proposed it to some folks here. I feel silly for not thinking about it when I posted this request.

With that being said, I still think there should be a distributed architecture all within the LEM product.

curtisi

The LEM code-base includes an option for stripping the Manager functions and converting the LEM to a syslog server. This process launches an Agent on the syslog server and connects it back to the LEM Manager. The benefit of this deployment is that the conversion also regenerates the product support key in such a way that it will run forever for free. It also doesn't require as many resources (less memory) to run, since it's not doing any of the manager functions. The LEM syslog server can log more events per day than Kiwi.

(Some of) the gotchas:

Converting the LEM to a syslog server requires that you call support, as root access is needed to initiate the process
Converting the LEM to a syslog server is only an option if you have support on a LEM manager
The LEM syslog server will send every event on to the LEM manager, which may result in undesirable amounts of traffic

The Kiwi solution has a couple of things it can do that LEM can't: for example, you can set rules in Kiwi to filter which events get forwarded to the LEM Manager. This means that the amount of chatter between Kiwi and LEM can be controlled, and if a lot of events you don't care about are occurring in a network segment, you can stop them at Kiwi instead of sending them on to the LEM.

byrona

Thanks for the additional info. I have used Kiwi before and am familiar with it's capabilities, it's certainly a good option for the cost. I could certainly use Kiwi as a form of remote collector that sends back to LEM and for the cost it would make sense.

byrona

What Kiwi doesn't give me is the agent functionality, I would like to see a distributed architecture that leverages the agent capabilities. For example, if I had the ability to set a flag that would turn a single agent at a site as the relay agent that all of the other agents at that site talked to and then that relay agent would communicate back to the manager.

The other option would be a master of masters design where you have LEM systems that all report to a higher up master system. My understanding is that this partially exists now but not with full functionality.