3 Replies Latest reply on Mar 11, 2013 3:52 PM by nicole pauls

    Question concerning auto-discovery of new Nodes.

    martindl76

      Hello all I am curious if anyone else if experiencing what I am after the LEM 5.5 upgrade. The auto-node discovery system is detecting that PC's in my environment are sending logs directly to my LEM server. This is incorrect. It indicates that new nodes are discovered and no matter what I do after that point it automatically adds them to the active monitored nodes list. As one might be able to derive from this information, licences can quickly start to diminish. Is there a way to turn off this feature, tune it or just prevent the detected nodes from being added thus unnecessarily using a license? Also, is there an explanation for why this occurs?

        • Re: Question concerning auto-discovery of new Nodes.
          nicole pauls

          This should only occur if the IP address/hostname of the log data is different than the IP address/hostname of the agent. There's no way to turn it off since it's by design - some people have collectors, and we need to be sure that all of the original nodes are accounted for in the licensing count. Assuming you're not doing that, there's probably some kind of mismatch in the IP address the agent is reporting vs. the IP address the log is reporting.

           

          We do have ways to improve the detection in case it's failing in a specific way related to DNS lookups, but we've only had that come up once or twice.

           

          Anything interesting about the machines? Long hostnames? Multiple IP addresses?

            • Re: Question concerning auto-discovery of new Nodes.
              martindl76

              After reading the reply it begins to make sense. The nodes that are detected mostly are related to Symantec Endpoint logs. We are forwarding Symantec Endpoint 11 logs to LEM. I am assuming LEM is seeing the different source IP (Symantec) and machines (Symantec Clients). This may account for the issue. So if my understanding is correct....given a scenario where we have a syslog server that is aggregating logs form various devices then forwards these logs to LEM.....auto node detection should pick up on this and assign a node to each of the devices forwarding logs to the syslog server? Correct me if I am wrong here.

                • Re: Question concerning auto-discovery of new Nodes.
                  nicole pauls

                  That makes sense.

                   

                  And yes, that sounds correct - the originating device IP should always be passed on, though some syslog servers have an option you might have to enable (otherwise you can't tell where the data came from, which sucks for other reasons). Some people choose to put an agent on the syslog server to aggregate that way rather than aggregate and forward syslog.