Submit a ticketCall us

Looking to compare latest NPM features with previous versions of NPM?
The NPM new feature summary offers a comparison of new features and improvements offered with this release.

 

Home > Success Center > Log & Event Manager (LEM) > SolarWinds LEM 6.3 User Guide > Introduction to LEM > LEM architecture

LEM architecture

Created by Caroline Juszczak, last modified by Caroline Juszczak on Jul 20, 2016

Views: 40 Votes: 1 Revisions: 4

LEM gathers and correlates logs and events and defends your network using the SolarWinds LEM Active Response Technology. The following illustration shows the typical log sources, LEM software components, and the network protocols in a SolarWinds LEM deployment.

File:Success_Center/New_Articles/LEMUserGuide_MT/010/020/LEM_Architecture2_572x427.png

Advanced deployment architecture

You can leverage LEM Agent features (such as encryption, compression and buffering) to capture logs from remote locations across wide area network (WAN) links in a across unreliable WAN links. The following illustration shows a sample deployment with two separate locations. You can also implement this scenario when your change management processes prevent adding new logging hosts on your network devices.

File:Success_Center/New_Articles/LEMUserGuide_MT/010/020/LEM_Architecture_Advanced_595x345.png

This design distributes syslog servers in separate locations instead of one syslog server in the LEM Manager. The LEM connectors normalize the original log messages into LEM events. If you deploy a detached syslog server, install a LEM Agent on the detached server, and then enable the appropriate connectors on the LEM Agent.

Automatic log scanning does not apply to the LEM Agent. However, new nodes can be discovered by the enabled connectors.

LEM Manager

The LEM Manager hosts the LEM virtual appliance a virtual image of a Linux-based physical computer that collects and processes log and event information. You can deploy the LEM virtual appliance on LEM Manager with the supported VMware or Microsoft hypervisors.

The LEM Manager is the LEM virtual appliance deployed on a host system in your corporate enterprise. This device includes:

  • Hardened Linux OS
  • Syslog Server and SNMP Trap Receiver
  • High compression, search optimized database
  • Web server
  • Correlation engine

Network devices send syslogs to the LEM Manager over TCP or UDP. LEM agents installed on servers and workstations initiate TCP connections and push data to the LEM Manager.

The LEM Manager hosts the LEM virtual appliance a virtual image of a Linux-based physical computer that collects and processes log and event information. You can deploy the LEM virtual appliance on LEM Manager with the supported VMware or Microsoft hypervisors.

The following table lists the resources that provide input to LEM Manager.

Resource LEM Input
Network Device log sources
(such as routers, firewalls, and switches
Syslog messages
Servers and applications LEM agent data
Microsoft Windows Workstations LEMagent data

SolarWinds NPM

SolarWinds SAM

SolarWinds Virtualization Manager (VMan)

Performance alerts received as SNMP traps

LEM Agent

The LEM agent collects and normalizes log data in real time before processing by the virtual appliance. LEM agents are installed on workstations, servers, and other network devices. They collect log data from security products (such as anti-virus software and network-based intrusion detection systems) in each device and transmit the data over TCP to the LEM Appliance.

The LEM agent is the primary tool for collecting syslog data over TCP from servers, applications, and workstations. You can install the LEM Agent in each device to transmit syslog messages over TCP to the LEM Manager. The LEM Agent has a small footprint on the device and provides sever benefits to prevent log tampering during data collection and transmission.

Using LEM agents, you can:

  • Capture events in real-time.
  • Encrypt and compress the data for efficient and secure transmission to the LEM Manager.
  • Buffer the events locally if you lose network connectivity to the LEM Manager.

LEM Reports Console

You can install the LEM Reports Console on a networked server to schedule and execute over 300 audit-proven reports. For added security, you can initiate the restrictreports command service to limit users by IP address to run these reports. If you are running LEM in Evaluation Mode, you can install the LEM Reports Console on any server or workstation that can access port 9001 in the LEM Manager.

Network devices

The LEM Manager relies on routers, firewalls, and switches to transmit syslog messages to the syslog server running on the LEM Manager. If your change management process does not permit adding any further Syslog servers to the network device configurations, you can implement a multi syslog server deployment architecture to leverage your existing syslog servers.

If your log sources are behind a firewall, see this KB article for port and firewall configuration.

Integration with SolarWinds products

Additional SolarWinds solutions such as Network Performance Monitor (NPM), Server & Application Monitor (SAM) and Virtualization Manager (VMan) can send performance alerts as SNMP Traps to the LEM Manager to correlate performance alerts with LEM events.

LEM uses additional data collection tools such as Web Services and SNMP Traps. Contact Customer Service for more information about integrating LEM into your corporate enterprise.

Security, audit policies, and best practices

For LEM appliance security information, see this KB article. For LEM audit polices and best practices, see this KB article.

This design detaches and distributes the Syslog servers in separate locations, rather than using the Syslog server in the LEM Manager. Both locations include a local syslog server. The LEM connectors normalize the original log messages into LEM events. If you deploy a detached Syslog server, install a LEM Agent on the detached server, and then enable the appropriate connectors on the LEM Agent.

Automatic log scanning does not apply to the LEM Agent. However, new nodes can be discovered by the enabled connectors.

 
Last modified
11:48, 20 Jul 2016

Tags

Classifications

Public