Hi,
If an agent is configured to communicate with an LEM manager, it will establish a TCP connection and you will see heartbeat traffic between the manager and agent. Only logs configured in the connector will be read and normalised data transmitted from the agent to the manager. Any rules which have an active response to perform an action on that specific agent node will also generate traffic between the manager and the agent. If you do a packet capture, you can filter this to the TCP ports configured when installing the agent.