i just wanted to understand LEM deployment for multiple sites. one of our customer has 4-5 different data centers having separate security devices at each sites. we suggested to deploy one central LEM having enough storage according to log size to archive the log data/backup. but client is asking about different-2 sensors at each location with one analyzer at central location. is that possible and what would be the architecture and flow.
Seeking for an expert advice .
What is the main driver for a "sensor" in each site? Is it bandwidth conservation? or a security concern?
See the section on using a detached Syslog server
Yes main concern for this is bandwidth . actually i am not aware of distributed type of deployment. could you please help me to understand that what is sensor and what is analyzer here in LEM?
Sensor and Analyzer are not really LEM terms. But if you look at the architecture, we are saying you can place a Syslog server in a remote location to capture the raw logs from the devices in that location and use the LEM Agent installed on it to normalized the logs and sent it to the central LEM in a compressed & encrypted manner. This represents a tremendous savings in bandwidth as opposed to send the syslog from the devices in a remote location directly to a central LEM. All the analysis (correlation rules) is done on the central LEM server
please let me know about some points:
> All the agents that are installed on syslog server, will be licensed based?
> what will be the compression ratio(a rough idea)
>All the syslogs that are coming on syslog servers, LEM agent will normalize that logs and send it to LEM or after coming to LEM ,logs will be normalized?
1. The agent installed on the syslog server will need 1 node license. If you have say 10 routers in a remote location sending logs to central LEM server, it would use 10 node licenses. By using a remote syslog server + an LEM agent on it, we are now talking 11 node licenses, i.e., 1 additional node license for each syslog server
2. It would be 100s:1 if not 1000s:1. Do your own bandwidth testing to see what you get but the point is logs do compress very well
3. Agent normalizes first (with the default connector output type setting "Alert")
> According to evaluation guide, only one source is sending logs. if we have multiple source at each location then should we create seperate-2 connectors and set the log location accordingly right?
> what about the syslogs/normalized logs that are stored on local syslog servers...after sending all to LEM, logs will be purged or need to delete(as per weekly or daily process) . actually concern is disk usgae becasue each location has approx 30-40 GB/day raw logs.
The LEM Agent itself has very minimal overhead. For Kiwi, you can find some guidelines here
something like 4GB 2GHz *should* be enough
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 150,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process. Learn more today by joining now.