Submit a ticketCall us

Bridging the ITSM Divide
Integrated help desk and remote support software for faster resolution

Join us on Wednesday, November 29, 2017 at 11 a.m. CT, as we discuss the benefits of effectively integrating your help desk software with remote support solutions to help increase the efficiency of IT administration, improve communication, and decrease mean time to resolution (MTTR) for IT issues of all sizes. This directly impacts end-user satisfaction and your business’ bottom line. Register Now.

Home > Success Center > Log & Event Manager (LEM) > Log & Event Manager Installation Guide > About the LEM components

About the LEM components

Updated: August 30, 2017

This topic describes the software components that make up a typical SolarWinds LEM deployment. Review this topic to get a better understanding of how LEM should be deployed on your network.

In this topic:

Overview

The following illustration shows the software components, log files, and network protocols in a typical SolarWinds LEM deployment.

File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Installation_Guide/LEM_Installation_Guide/0010-LEM_installation_overview/0010-About_the_LEM_components/lem_architecture2_572x427.png

A complete LEM installation includes the following components:

  • The LEM Manager (or LEM VM), which collects and processes log and event information. This component is installed first.
  • The desktop software or web client (not shown) that allows you to view LEM information from a desktop or laptop computer.

About the LEM Manager component

Originally, LEM was sold as a physical appliance that you deployed on your network. Today, the LEM Manager is the virtual image of a Linux-based appliance. The LEM Manager VM (virtual machine) can be easily deployed on a host computer running a VMware® or Microsoft® hypervisor.

The LEM documentation uses the term virtual machine (or VM) to refer to the LEM virtual appliance that runs on the hypervisor.

The LEM Manager collects and processes log and event information. It includes the following systems and services:

  • Hardened Linux® OS
  • Syslog Server and SNMP Trap Receiver
  • High compression, search-optimized database
  • Web server
  • Correlation engine

About the LEM Agent

The LEM Agent is installed on workstations, servers, and other network devices. It collects and normalizes log data in real time before it is sent to the LEM Manager. It also collects security data such as Windows Event Logs, a variety of database logs, and local antivirus logs on each device and transmits that data over TCP to the LEM Manager. The LEM Agent has a small footprint on the device and prevents log tampering during data collection and transmission.

You can also use the LEM Agent with devices that support syslog. The Agent transmits syslog messages over TCP to the LEM Manager. TCP is preferred over UDP because TCP ensures messages arrive intact.

The LEM Agent provides the following benefits:

  • Captures events in real-time.
  • Encrypts and compresses the data for efficient and secure transmission to the LEM Manager.
  • Buffers the events locally if you lose network connectivity to the LEM Manager.

About Network devices

The following table lists some network resources that provide input to LEM Manager.

Network Resource LEM Input
Network Device log sources
(such as routers, firewalls, and switches
Syslog messages
Servers and applications LEM Agent data
Microsoft® Windows® Workstations LEM Agent data

SolarWinds NPM

SolarWinds SAM

SolarWinds Virtualization Manager (VMan)

SNMP traps (performance alerts)

See "Enable LEM to receive SNMP traps by turning on the SNMP Trap Logging Service" in the LEM Administrator Guide for details.

LEM accepts device input using the TCP and UDP protocols:

  • Network devices use TCP or UDP to send syslog events to the LEM Manager.

  • LEM Agents installed on servers and workstations use TCP to push data to the LEM Manager.

  • SolarWinds Orion/VMan server instances (including NPM and SAM) send SNMP traps over UDP to the LEM Manager.

About the LEM reports application

You can install the LEM Reports Console on a networked server to schedule and execute over 300 audit-proven reports. For added security, you can initiate the restrictreports command service to limit users by IP address to run these reports. If you are running LEM in Evaluation Mode, you can install the LEM Reports Console on any server or workstation that can access port 9001 in the LEM Manager.

Next steps:

 

Last modified

Tags

Classifications

Public