This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

LEM and NPM

We are putting in a new LEM install and have had NPM up for awhile. Currently all out Network infrastructure (cisco Switches, wireless controllers, etc) send syslog data to the NPM device.

I did find an article that refernces configuring Alerts in NPM to be sent to LEM, but I would like the Syslog data to go directly to LEM. Can the data be sent to both?

Or maybe the question should be should I want it sent to both, I am thinking that there would be value in LEM seeign all the data so it can be analyzed instead of just a small list of configured alerts from NPM. Whats the best way to set these systems up to get the most out of these two products together?

  • FormerMember
    0 FormerMember

    What I'd do is send to both places at least while you're coming up to speed on LEM. This will help you use a familiar interface, duplicate what you have in LEM, then cycle out of sending to both when you're comfortable you've got what you need. It might be a week, it might be a while, but it always helps when you have something familiar to base your comparison on.

    You should be able to replace your simple alerts in NPM with simple alerts in LEM, and take advantage of features LEM has that NPM doesn't. With LEM, you'll be able to set up more complex thresholds (notify me after X occurrences in Y seconds/minutes), monitor the feed of data in real-time with charts & graphs that also update in real time, use LEM's search to get more insight about the historical data over time, and report on that data in context with other data if you've got needs in that area.

    I think only sending the alerts from NPM to LEM (rather than all of the data) will limit the visibility into your data. You'd basically only be sending the ones you know you're interested in, but LEM's real-time monitoring, correlation, and search capabilities would be hindered. Going the other way might make sense once you know what you are looking for - correlating events in LEM and alerting NPM with them.

    All of those devices (to my knowledge) do support sending to multiple syslog destinations, so you'll just want to go in and add the LEM appliance as a syslog destination in addition to your existing NPM server.

  • Just to add my 2 cents (or $20 adjusted for inflation),

    I have my traps and syslogs going to both my NPM and LEM.  I use the NPM as a trending and a real-time window and use the LEM also for trending but historical review of such.  Having it go to the LEM allows me to see a bigger picture when I am troubleshooting an issue or looking for bottlenecks/errors.