7 Replies Latest reply on Nov 4, 2014 11:31 AM by byrona

    Managing multiple LEM appliances


      As we expand our number of LEM appliances I am finding I need a method for centralized management and I am curious what the best way to do this would be?  We are a solution provider that implements these appliances for our clients so this will continue to be a growing problem as long as we use LEM as our SIEM solution.


      I understand that it's possible to use one console to manage multiple managers; however, I have not found a good place where this is documented.  I would like to know what the capabilities are, what the limitations are, what the security implications are (is the data encrypted, etc) and what the network requirements are for the communications are.  Does the document for that exist and where might I find it (I should note that I did actually look for this documentation but was unable to find it)?


      I know I had discussed some of this a while back with colby but I was unable to find that thread.


      Thanks in advance for any help on this!

        • Re: Managing multiple LEM appliances
          nicole pauls

          I don't think this is documented more than stating a fact that you can add more than one


          So, the way it works is that you add more managers from the Manage > Appliances tab, and you can access and manage all features of the console against all of them from a single console. There's one "primary" appliance where the web app is loaded from (the one in the URL) and the others are just a part of your config and connected to from your client individually.


          Data in Ops Center and Monitor will show from all appliances

          Searches in nDepth will search across all appliances

          Build functions will manage an individual appliance only

          Manage functions will manage an individual appliance only



          There tend to be more known issues with using things on multiple appliances, since it's not a common config that gets tested in customer sites exhaustively. Sometimes we see issues with running nDepth searches across appliances, for example, and you might see more known issues in release notes for multiple appliances.


          You do need to be running the same version of LEM or you could see some weird behavior when you launch the console from an appliance that's one version and connect to an appliance that's another.


          Scale is probably the big one. The real-time view of the console does not infinitely scale, so you will find that your real-time views are unable to keep up with the aggregate thousand+ events per second that you might see if you hook up several appliances.


          The data is encrypted as it is with a single manager->console as long as you use HTTPS. It's really the same exact connection as you'd get with a single console, you just have one "primary" where the app is downloaded from.


          On the networking side, it uses the same ports as a single console->appliance, and the same bandwidth, though obviously on the receiving/client side you'd have to multiply that by the # of appliances you're connecting to.

            • Re: Managing multiple LEM appliances

              Thanks for the info again Nicole! 


              This was kind of building off my earlier inquiry regarding Threat Intelligence Feeds.  I was hoping to manage multiple appliances from a single location so that I can add data to groups that I have created (known bad IP's as an example) on multiple LEM appliances.  Doing it from one console would save me a lot of time unless you have some thoughts on any better ways I might accomplish this?


              I really do appreciate you always taking the time to answer my questions and engage my thought process.  Sorry if I am always truing to push the limits of the product in directions that it may not want to go.  I am always trying to address increasing demands from our customers and find the most efficient methods to deliver our services. 

                • Re: Managing multiple LEM appliances
                  nicole pauls

                  That sounds right. We built this ability so that people could distribute LEM appliances and monitor from a single place - usually it's a single environment with multiple departments or regions (like a bank holding company with multiple banks, or a geographically disperse company with several LEM deployments per region but a parent datacenter that also needs visibility).


                  You should also be able to import/export those groups across appliances for when you need them ON the appliance (for things like scheduled searches or rules where they run from the appliance, not the console). Create on appliance 1, export, import into appliance 2, etc.


                  I'd say you're pulling LEM in exactly the direction it's intended, we just haven't made it as far as you have yet.

                • Re: Managing multiple LEM appliances

                  colby I may have asked this before and I apologize if I have but how is a distributed LEM environment licensed?  Do you only need to license the total number of nodes logging to the solution or do you need to license each LEM appliance in the solution?  If you have some documentation or white papers on this I would be happy to read those if you want to point me to them.