IP or Hostname or appliance key

It will likely depend on how the syslog is received and the device. It's possible it will be able to differentiate them by the actual/internal IP. If you have the firewall log its IP/name in the log, it might also pick those up as the appliance names.

Generally, LEM is going to try to parse the IP/hostname of the device out of the logs. It'll pick the syslog IP by default (if you look at syslog formatted messages, there's a <date> <ip/hostname> <message> format), but some devices can also log their IP/hostname within the message, and if syslog messages get forwarded from a syslog forwarder, it'll pick those up instead.

What kind of device? Do you have it logging to LEM already, are you seeing the logs?

Yes, I have pointed Fortigate firewall to send syslogs to LEM and when there is an IP change in Fortigate, it detects it as a new node in LEM. I have seen ManageEngine and AlienVault identifying the Nodes based on Device Name which is unique serial no so irrespective of IP change, it detects it as a single appliance.

Sample logs of Fortigate as below.

<190>date=2016-05-24 time=20:15:25 devname=FGVM010000063601 devid=FGVM010000063601 logid=0100044546 type=event subtype=system level=information vd=root logdesc="Attribute configured" user="admin" ui="GUI(40.40.40.26)" action=Edit cfgtid=7274531 cfgpath="system.global" cfgattr="admin-ssh-port[222->22000]" msg="Edit system.global "

Ah. Generally, LEM would lean toward using/identifying with the IP address as per syslog (or originating device if syslog forwarding is involved). Since licensing is based on # of nodes under management, it was/is the most logical first step, but it could leave room for improvement. Some folks on thwack have suggested being able to label or edit the names of devices, so we aren't stuck just using the device IPs, too.

Well, I understand but what about the Hostname option in node. As I can see from GUI that you can add hostname or IP address. However I tried using the hostname but it didnt help. eventually it shows IP address of the sending node. Is there anyway it can be dealt with using fqdn/hostname so dynamic ip issue can be addressed?

Apart from this, is it possible we can dump logs in file format in to LEM, lets say from Syslog-NG?

You could definitely syslog to a syslog-ng host, then put a LEM agent on that host to pick up the logs (or, you could send them to your syslog-NG host and forward them to LEM, but I don't know if the effect would be any different). You do need to make sure the format matches an expected syslog format and the files are statically named (i.e. no date in the current filename), but that would work.

Thanks Nicole for your reply. How about adding nodes with Hostname? Can you share a use case? Lets take an example that one of the firewall has registered with Dynamic DNS provider as its IP address is changing so instead of IP now we have FQDN abc.example.com and we want to add node with that FQDN so no matter with which IP address its receiving the syslogs, it will detect it as a single appliance as it will just resolve the FQDN with IP address and will match the table.

So, LEM will present what's in the log data, and I think within LEM's syslog config the hostname resolution for syslog is off because it can create performance problems. It is a syslog-ng option, though, so if you syslogged to another syslog-ng host you could have it attempt to resolve the originating IP (as long as those DNS servers are there/able to resolve).

e.g.

<date> 192.168.1.1 <message>

could become

<date> firewall.internal <message>

if then you configured LEM to watch that log, it WOULD send firewall.internal as the DetectionIP instead of 192.168.1.1.

Also worth noting here is when you correlate activity within LEM rules, it does try to do DNS resolution, so if it sees an event from firewall.internal it would know it's the same as 192.168.1.1 (as long as that resolves in the DNS server LEM has configured). It's not common that you end up correlating based on DetectionIP, but it could happen.