This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Level of disruption for a LEM upgrade?

I am curious how long log collection disruption is when you upgrade a LEM appliance?

  • FormerMember
    0 FormerMember

    UDP-delivered packets (syslog, SNMP traps) will be interrupted ONLY IF there's a reboot or restart of the syslog service during the upgrade. For a reboot, it depends on hardware, but probably 2-3 minutes. For a service restart, seconds. (This is one reason to consider a separate syslog server, if that is critical.)

    Agents will buffer their data while disconnected, so there won't be any loss of data, but they will be disconnected for some period of time. If the upgrade requires a reboot, again, a few minutes. If it's a service restart, a minute or two for everything to get re-enabled, and a few minutes for all the agents to reconnect (they reconnect on a cycle with some randomness, 30 seconds, 60 seconds, 1 minute, 2 minutes, 4 minutes, 8 minutes, 8, 8, 8 ... ).

    If you have a separate database/nDepth appliance, that data will also be queued for delivery when one or the other is back online.

    The queued/buffered data will be processed through correlations as long as it's within the "Response Window" for the correlation (default 5 minutes). The response window accounts for SLIGHTLY delayed but still real-time data. If it's older than that, the correlation engine will not process it against real-time rules, because you might be triggering responses and notifications on old data that's no longer relevant, and probably don't want to correlate old data with current data.