Submit a ticketCall us

Training ClassSign up for Network Performance Monitor (NPM) and Scalability instructor-led classes

Attend our instructor-led classes, provided by SolarWinds® Academy, to discuss the more advanced monitoring mechanisms available in NPM as well as how to tune your equipment to optimize its polling capabilities. NPM classes offered:
NPM Custom Monitoring and Polling
Orion Platform Scalability

Reserve your seat.

Home > Success Center > Log & Event Manager (LEM) > LEM - Knowledgebase Articles > Discovery is consuming licenses

Discovery is consuming licenses

Table of contents


This article provides information about the auto-node discovery system detecting that PCs in your environment are sending logs directly to the LEM server. It indicates that new nodes are discovered and it automatically adds them to the active monitored nodes list.


LEM version 5.5 and later


Discovery happens if the IP address/host name of the log data is different than the IP address/host name of the agent. This is by design, as some users have collectors, and all of the original nodes need to be accounted for in the licensing count. If you are not doing that, there's probably an issue with a mismatch in the IP address the agent is reporting and the IP address the log is reporting.

If you find that there's something different about the machines (long host names or multiple IP addresses), the issue might be related to Symantec Endpoint logs. If you are forwarding, for example, Symantec Endpoint logs to LEM, LEM sees a different source IP (Symantec) and machines (Symantec Clients).

Given a scenario where you have a syslog server that is aggregating logs from various devices, and then forwards these logs to LEM, auto-node detection should pick up on this and assign a node to each of the devices forwarding logs to the syslog server.

In this scenario, some users choose to put an agent on a syslog server to aggregate that way rather than aggregate and forward syslogs.


Last modified