Hide this message
Looking to compare latest NPM features with previous versions of NPM?
The NPM new feature summary offers a comparison of new features and improvements offered with this release.
As long as the SolarWinds Log and Event Manager Agent service is running, it will collect and normalize log data from its host's operating system and any third party security product it is configured to monitor. When the LEM Agent is connected to a LEM Manager, it sends the normalized log data to the LEM Manager in real time, resulting in a constant, secure, bandwidth-friendly flow of data.
When the LEM Agent is not connected to its LEM Manager, for instance when a laptop disconnects from the network, it queues the normalized log data until such time as it is reconnected to the network. The reconnected LEM Agent then sends the queued data to the LEM Manager to be displayed and stored.
The major difference is that most rules on the LEM Manager are set to not fire on alerts more than 5 minutes old, so queued alerts typically won't trigger them. Similarly, when a LEM Agent is not connected to its LEM Manager, its traffic will not trigger any rules in real time either, since the rules, along with their active responses, reside on the LEM Manager, not the LEM Agent.
The one exception is when the LEM Agent has the USB Defender Local Policy tool configured. This tool allows LEM Administrators to maintain a list of approved users and devices that is stored locally with USB Defender on the LEM Agent. Once in place, the USB Defender Local Policy tool will automatically detach any USB mass storage device that does not match one or the other criterion, regardless of whether the LEM Agent is connected to the LEM Manager.