Submit a ticketCall us

whitepaperYour VM Perplexities Called, and They Need You to Read This.

Virtualization can give you enormous flexibility with future workloads and can be a key enabler for other areas, like cloud computing and disaster recovery. So, how can you get a handle on the performance challenges in your virtual environment and manage deployments without erasing the potential upside? Learn the four key areas you need to be focusing on to help deliver a healthy and well-performing data center.

Get your free white paper.

Home > Success Center > Log & Event Manager (LEM) > Log & Event Manager (LEM) Documentation > Log & Event Manager Installation Guide > LEM deployment examples

LEM deployment examples

Updated: August 30, 2017

This topic will help get you started planning your LEM architecture. The examples show different LEM deployment options.

Simple deployment example

The following deployment example uses one central syslog server to collect log data from your network devices in a local network. In this deployment, network devices use TCP or UDP to send syslog data to the LEM Manager's syslog server, whereas LEM Agents running on workstations and servers just use TCP to push log data to the LEM Manager.


The syslog server receives logs on port 514 and saves the data in the LEM Manager /var/log file partition. Log file names vary based on the target facility configured on the network device.

The LEM Manager relies on routers, firewalls, and switches to transmit syslog messages to the syslog server running on the LEM Manager. If your log sources are located behind firewalls, see SolarWinds LEM port and firewall information to open the necessary ports. For a list of all ports required to communicate with LEM, see the SolarWinds Port Requirements for SolarWinds Products Guide.

Complex deployment example with multiple syslog servers

The following deployment example uses two syslog servers located in different cities. LEM can capture logs from multiple remote locations across wide area network (WAN) links. Because the LEM Agent includes built-in encryption, compression, and buffering capabilities, this can be done securely and efficiently.


Instead of using the syslog server built in to the LEM Manager component, this design calls for one syslog server per location. When using a detached syslog server, you need to install a LEM Agent on each detached server, and then enable the appropriate connectors on the LEM Agent. Following configuration, the LEM connectors normalize raw log messages into LEM events.

If you cannot add new logging hosts on your network devices due to restrictive change management processes, consider implementing this multi syslog server deployment example to leverage your existing syslog servers.

Complex deployment example with multiple LEM VMs

To increase performance, you can divide LEM's workload across multiple LEM VMs. Each VM can be configured to provide dedicated processing for tasks such as:

  • Management and event analysis
  • Database storage, search, and reporting
  • Log storage, search, and analysis
  • Log collection

Although multi-VM LEM installations are possible, 98% of all LEM deployments perform well as a single appliance that you can scale up by dedicating additional resources from the virtual host.

Each LEM VM can specialize and provide dedicated processing for one or more of the following:

  • Management and event analysis
  • Database storage, search, and reporting
  • nDepth log storage, search, and analysis
  • Log collection

The following diagram shows four LEM VM instances. One each for the LEM Manager, syslog collection, the normalized data store, and an optional original data store.


Deploying each LEM VM on separate hardware increases performance. You can also deploy multiple VMs on the same hardware host with minimal negative performance impacts.

LEM allows you to assign resources in different ways based on your organization's needs. For example, you can deploy two LEM Managers, each on a separate VM if your organization has logical divides in management and/or monitoring responsibilities.


In the above example a single LEM console provides a consolidated, real-time search and management view across two LEM VMs.

See also:

Last modified