Submit a ticketCall us

AnnouncementsSystem Monitoring for Dummies

Tired of monitoring failures disrupting the system, application, and service? Learn the key monitoring concepts needed to help you create sophisticated monitoring and alerting strategies that can help you save time and money. Read the eBook.

Get your free eBook.

Home > Success Center > Log & Event Manager (LEM) > LEM - Knowledgebase Articles > Discovery is consuming licenses

Discovery is consuming licenses

Table of contents


This article provides information about the auto-node discovery system detecting that PCs in your environment are sending logs directly to the LEM server. It indicates that new nodes are discovered and it automatically adds them to the active monitored nodes list.


LEM version 5.5 and later


Discovery happens if the IP address/host name of the log data is different than the IP address/host name of the agent. This is by design, as some users have collectors, and all of the original nodes need to be accounted for in the licensing count. If you are not doing that, there's probably an issue with a mismatch in the IP address the agent is reporting and the IP address the log is reporting.

If you find that there's something different about the machines (long host names or multiple IP addresses), the issue might be related to Symantec Endpoint logs. If you are forwarding, for example, Symantec Endpoint logs to LEM, LEM sees a different source IP (Symantec) and machines (Symantec Clients).

Given a scenario where you have a syslog server that is aggregating logs from various devices, and then forwards these logs to LEM, auto-node detection should pick up on this and assign a node to each of the devices forwarding logs to the syslog server.

In this scenario, some users choose to put an agent on a syslog server to aggregate that way rather than aggregate and forward syslogs.


Last modified