Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 8

LEM sensor/analyzer deployment for multiple sites

Hi All,

i just wanted to understand LEM deployment for multiple sites. one of our customer has 4-5 different data centers having separate security devices at each sites. we suggested to deploy one central LEM having enough storage according to log size to archive the log data/backup. but client is asking about different-2 sensors at each location with one analyzer at central location. is that possible and what would be the architecture and flow.

Seeking for an expert advice .



0 Kudos
9 Replies
Level 17

What is the main driver for a "sensor" in each site? Is it bandwidth conservation? or a security concern?

See the section on using a detached Syslog server

0 Kudos

Hi ,

Yes main concern for this is bandwidth . actually i am not aware of distributed type of deployment. could you please help me to understand that what is sensor and what is analyzer here in LEM?

0 Kudos

Sensor and Analyzer are not really LEM terms. But if you look at the architecture, we are saying you can place a Syslog server in a remote location to capture the raw logs from the devices in that location and use the LEM Agent installed on it to normalized the logs and sent it to the central LEM in a compressed & encrypted manner. This represents a tremendous savings in bandwidth as opposed to send the syslog from the devices in a remote location directly to a central LEM. All the analysis (correlation rules) is done on the central LEM server

Thanks ,

please let me know about some points:

> All the agents that are installed on syslog server, will be licensed based?

> what will be the compression ratio(a rough idea)

>All the syslogs that are coming on syslog servers, LEM agent will normalize that logs and send it to LEM or after coming to LEM ,logs will be normalized? 

0 Kudos

1. The agent installed on the syslog server will need 1 node license. If you have say 10 routers in a remote location sending logs to central LEM server, it would use 10 node licenses. By using a remote syslog server + an LEM agent on it, we are now talking 11 node licenses, i.e., 1 additional node license for each syslog server

2. It would be 100s:1 if not 1000s:1. Do your own bandwidth testing to see what you get but the point is logs do compress very well

3. Agent normalizes first (with the default connector output type setting "Alert")

Great ,

> According to evaluation guide, only one source is sending logs. if we have multiple source at each location then should we create seperate-2 connectors and set the log location accordingly right?

> what about the syslogs/normalized logs that are stored on local syslog servers...after sending all to LEM, logs will be purged or need to delete(as per weekly or daily process) . actually concern is disk usgae becasue each location has approx 30-40 GB/day raw logs.

0 Kudos

Where does it say "one source" only in the evaluation guide?

It is up to the Syslog server to handle rotation, retention, etc. LEM doesn't delete them

0 Kudos

can you help me to figure out about system requirements of distributed syslog servers (like minimum RAM,cpu etc.)

0 Kudos

The LEM Agent itself has very minimal overhead. For Kiwi, you can find some guidelines here

System Requirements for Kiwi Syslog Server with Kiwi Syslog Web Access

and here

Kiwi Syslog Server - System Requirements | Kiwi

something like 4GB 2GHz *should* be enough

0 Kudos