1 of 1 people found this helpful
Connectors get configured where the logs will be normalized. This means that for most syslog devices, where the data is sent to LEM in raw syslog format and the LEM appliance is doing the normalization, you would configure the connectors on the LEM appliance (under Manage --> Appliances).
System and application logs are getting collected and normalized by the agents on your servers and workstations, so those connectors are configured on the agents (under Manage --> Nodes).
Now, it's possible to have a node collecting syslog or other sorts of data. For example, say you have Kiwi Syslog (running on a Windows server) in a data center. All the network gear sends syslog to the Kiwi server, and the LEM agent runs on the Kiwi server. In Kiwi, you set up filters so that data from all the Cisco IOS devices goes into CiscoLogs.txt and all the data from Juniper goes into JunosLogs.txt, and all the data...etc. You'd configure a Cisco IOS connector for the Agent on the Kiwi Syslog Server to read C:\...some path...\CiscoLogs.txt, and a JunOS connector to read JunosLogs.txt.
You can theoretically get an Agent on a Windows or Linux box to reach out to Checkpoint as an Opsec client, and pull the logs to that Agent before they're sent to LEM, but in most cases you'd have the LEM making that pull directly.
Having the "syslog server with an Agent" can be useful because the Agent is smart enough to handle network outages, and syslog typically is not.
Pulling data into a server/agent and then forwarding can also help with resourcing on the LEM. The Agent has a lot less work to do, so it can normalize a more events with fewer resources than the LEM appliance can, since the appliance has to do all that correlation/database/reporting stuff as well.