Does LEM agent performs data normalization and compression both? If yes, how much the compression is done by agent before it sends data to LEM manager?
In my case, I would be pointing Firewall to send syslog to the LEM agent machine which would be in the same network. It could be Windows or Linux. If it's windows I will use Kiwi and if it's Linux, I will use Syslog-NG. Further this agent will forward firewall syslog to LEM manager.
So if the average syslog message sent by Firewall is 500 bytes then what would be the approximate upload message size by Agent to Manager. Asking this as I need to let customer know about how much bandwidth or data transfer will be done every day.
In this case, if agent does data normalization the. Manager will recieve raw logs??
Once this data received at Manager, will it compress again and store the data or how is it done actually??