One main reason is that the Linux agent may not have a connector for the software being monitored - but the software is capable of syslog. In this case the software would send the syslog to LEM. LEM would then normalize the data and present it.
Syslog, of course, is very chatty and we want to limit this as much as possible. So for other software on the same box which has a connector - we could use the agent to normalize the data and send it over to the manager.
You can also tell LEM to also save the raw syslog, if needed. But this will increase the database size. I have had to do this only once for a client because the normalized syslog data of a firewall was dropping the URL information. And the client wanted the URL information for archiving. In this case the default LEM disk size was increased to the max.
Thanks
Amit
Loop1 System